Vendor Security Review Standard
Table of Contents
1. Purpose and Background
2. Standards
2.1 Required Risk Assessment
2.2 Alternative Assessments
3. Review and Risk Ratings
3.1 Risk Rating and Sign-off - With SOC 2 Type II or other acceptable assessment
3.2 Risk Rating and Sign-off - Without SOC 2 Type II or other external assessment
4. Definitions
5. Related Links
6. Further Guidance
7. Exceptions
REVISION HISTORY: November 29, 2023, January 26, 2022, April 30, 2020
1. Purpose and Background
The University Data Protection Standards include requirements for the review of third-party vendors that handle Highly Sensitive Data (HSD) and/or mission critical services.
This standard, as part of the University's Data Protection of University Information (IRM-003) policy, outlines the responsibilities and processes for obtaining and reviewing the risk assessments.
2. Standards
2.1 Required Risk Assessment
Business owners engaging third party vendors who process, store, or transmit HSD and/or are providing services/systems that are mission critical, must work with their vendor to complete a risk review.
- Business units engaging vendors who, either directly, or indirectly via a subservice provider, process, store, or transmit credit card information (aka PCI data or cardholder data (CHD)) must contact the University Payment Card Services office.
- Business units engaging vendors who process, store, or transmit HSD other than PCI data and/or are providing services/systems that are mission critical must work with these vendors to provide a Service Organization Control 2 (SOC 2) Type II report during the procurement process and annually thereafter.
The vendor’s SOC 2 Type II report must cover a time period within 6-months of the request from UVA. If the SOC 2 Type II report is not within six months of the date requested, then the vendor must provide a bridge letter.
After receiving the report, the department must reach out to Information Security to provide the vendor’s contact information and receive information on securely transferring the documents. The appropriate Information Security office can be reached using the following contact information:
- For Health System units, email: [email protected]
- For Academic division units,
- Initiate an Information Security Compliance review
- email: [email protected]
2.2 Alternative Assessments
In cases where a SOC 2 Type II report is unavailable from a vendor:
- The vendor may submit an external security assessment, which meets the following criteria:
- The assessment covers the testing of data protection, privacy, and security controls in place by the vendor.
- The assessment is performed and signed-off by an organization that is independent from the vendor.
- The controls in the assessment are representative of the vendor's current state.
- If no SOC 2 Type II or acceptable external assessment is available, the vendor can complete and submit a self-assessment questionnaire, which will be provided by appropriate Information Security office. The completed questionnaire will be incorporated into the vendor’s contract with the University of Virginia.
3. Review and Risk Ratings
3.1 Risk Rating and Sign-off - With SOC 2 Type II or other acceptable assessment
Information Security will review the documents and assign a risk rating (e.g., high, medium, low). The following table explains the steps needed to approve the procurement or continued use of the service.
Risk Rating | UVA Health Reviewers Sign off | UVA Academic Reviewers Sign off | UVA Wise Reviewers Sign off | Other Requirements |
---|---|---|---|---|
High | 1. Health System CITO 2. Appropriate Service Line Chief/Administrator 3. Business Owner | 1. Academic CIO 2. Executive Vice-President/Chief Operating 3. Dean or VP of appropriate business unit. 4. Business Owner | 1. UVA Wise Director of Information Technology & CSO 2. UVA Wise Vice Chancellor for Finance & 3. Chair or Head of appropriate business unit 4. Business Owner | Department must provide a business justification for the procurement or continued use of the service. This justification will be reviewed along with the risk analysis. |
Medium | 1. Appropriate Service Line Chief/Administrator 2. Business Owner | 1. Dean or VP of appropriate business unit 2. Business Owner | 1. Chair or Head of appropriate business unit 2. Business Owner | Department must provide a business justification for the procurement or continued use of the service. This justification will be reviewed along with the risk analysis. |
Low | None | None | None |
3.2 Risk Rating and Sign-off - Without SOC 2 Type II or other external assessment
In cases where the vendor did not provide a SOC 2 Type II report or other acceptable assessment, sign-off will always be required. The following table explains the sign off needed to approve the procurement or continued use of such service.
Risk Rating | UVA Health Reviewers Sign off | UVA Academic Reviewers Sign off | UVA Wise Reviewers Sign off | Other Requirements |
---|---|---|---|---|
High | 1. Health System CITO 2. Appropriate Service Line Chief/Administrator 3. Business Owner | 1. Academic CIO 2. Executive Vice-President/Chief Operating 3. Dean or VP of appropriate business unit 4. Business Owner | 1. UVA Wise Director of Information Technology & CSO 2. UVA Wise Vice Chancellor for Finance & 3. Chair or Head of appropriate business unit 4. Business Owner | Department must provide a business justification for the procurement or continued use of the service. This justification will be reviewed along with the risk analysis. |
Medium | 1. Health System CITO 2. Appropriate Service Line Chief/Administrator 3. Business Owner | 1. Academic CIO 2. Executive Vice-President/Chief Operating 3. Dean or VP of appropriate business unit 4. Business Owner | 1. UVA Wise Director of Information Technology & CSO 2. UVA Wise Vice Chancellor for Finance & 3. Chair or Head of appropriate business unit 4. Business Owner | Department must provide a business justification for the procurement or continued use of the service. This justification will be reviewed along with the risk analysis. |
Low | 1. Appropriate Service Line Chief/Administrator 2. Business Owner | 1. Academic CIO 2. Executive Vice-President/Chief Operating 3. Dean or VP of appropriate business unit 4. Business Owner | 1. UVA Wise Director of Information Technology & CSO 2. UVA Wise Vice Chancellor for Finance & 3. Chair or Head of appropriate business unit 4. Business Owner |
4. Definitions
See the list of definitions for the Acceptable Use, Data Protection, Information Security, and Privacy & Confidentiality policies.
5. Related Links
6. Further Guidance
7. Exceptions
If you think you need to request an exception to these requirements, please refer to the Exceptions Process.