Vendor Security Review Standard

Table of Contents

1.  Purpose and Background
2.  Standards
      2.1 Required Risk Assessment
      2.2 Alternative Assessments
3. Review and Risk Ratings
     3.1 Risk Rating and Sign-off - With SOC 2 Type II or other acceptable assessment
     3.2 Risk Rating and Sign-off - Without SOC 2 Type II or other external assessment
4. Definitions
5. Related Links
6. Further Guidance
7.  Exceptions

REVISION HISTORY: November 29, 2023January 26, 2022April 30, 2020

[Return to Library]

1.  Purpose and Background

The University Data Protection Standards include requirements for the review of third party vendors that handle Highly Sensitive Data (HSD) and/or mission critical services. 

This standard, as part of the University's Data Protection of University Information (IRM-003) policy, outlines the responsibilities and processes for obtaining and reviewing the risk assessments.

[Table of Contents]

2.  Standards

2.1 Required Risk Assessment

Business owners engaging third party vendors who process, store, or transmit HSD and/or are providing services/systems that are mission critical, must work with their vendor to complete a risk review.  

  • Business units engaging vendors who, either directly, or indirectly via a subservice provider, process, store, or transmit credit card information (aka PCI data or cardholder data (CHD)) must contact the University Payment Card Services office.  
  • Business units engaging vendors who process, store, or transmit HSD other than PCI data and/or are providing services/systems that are mission critical must work with these vendors to provide a Service Organization Control 2 (SOC 2) Type II report during the procurement process and annually thereafter.  

The vendor’s SOC 2 Type II report must cover a time period within 6-months of the request from UVA.  If the SOC 2 Type II report is not within six months of the date requested, then the vendor must provide a bridge letter.

After receiving the report, the department must reach out to Information Security to provide the vendor’s contact information and receive information on securely transferring the documents.  The appropriate Information Security office can be reached using the following contact information:

2.2 Alternative Assessments

In cases where a SOC 2 Type II report is unavailable from a vendor:

  1.  The vendor may submit an external security assessment, which meets the following criteria:
    • The assessment covers the testing of data protection, privacy, and security controls in place by the vendor.
    • The assessment is performed and signed-off by an organization that is independent from the vendor.
    • The controls in the assessment are representative of the vendor's current state.
  2. If no SOC 2 Type II or acceptable external assessment is available, the vendor can complete and submit a self-assessment questionnaire, which will be provided by appropriate Information Security office.  The completed questionnaire will be incorporated into the vendor’s contract with the University of Virginia.

[Table of Contents]

3.  Review and Risk Ratings

 

3.1 Risk Rating and Sign-off - With SOC 2 Type II or other acceptable assessment

Information Security will review the documents and assign a risk rating (e.g., high, medium, low). The following table explains the steps needed to approve the procurement or continued use of the service.

Risk Rating UVA Health
Reviewers Sign off
UVA Academic
Reviewers Sign off 
UVA Wise
Reviewers Sign off 
 Other Requirements
High

1. Health System CITO

2. Appropriate Service Line Chief/Administrator

3. Business Owner

1. Academic CIO

2. Executive Vice-President/Chief Operating
    Officer (EVP/COO)

3. Dean or VP of appropriate business unit. 

4. Business Owner

1. UVA Wise Director of Information Technology & CSO

2. UVA Wise Vice Chancellor for Finance &
Administration/Chief Operating Officer (COO)

3. Chair or Head of appropriate business unit

4. Business Owner

Department must provide a business justification for the procurement or continued use of the service.
This justification will be reviewed along with the risk analysis.
Medium

1. Appropriate Service Line Chief/Administrator

2. Business Owner

1. Dean or VP of appropriate business unit 

2. Business Owner

1. Chair or Head of appropriate business unit 

2. Business Owner

Department must provide a business justification for the procurement or continued use of the service.  
This justification will be reviewed along with the risk analysis.
Low None None None  

 

 

3.2 Risk Rating and Sign-off - Without SOC 2 Type II or other external assessment

In cases where the vendor did not provide a SOC 2 Type II report or other acceptable assessment, sign-off will always be required.  The following table explains the sign off needed to approve the procurement or continued use of such service.

Risk Rating UVA Health
Reviewers Sign off
UVA Academic
Reviewers Sign off 
UVA Wise
Reviewers Sign off 
 Other Requirements
High

1. Health System CITO

2. Appropriate Service Line Chief/Administrator

3. Business Owner

1. Academic CIO

2. Executive Vice-President/Chief Operating
    Officer (EVP/COO)

3. Dean or VP of appropriate business unit 

4. Business Owner

1. UVA Wise Director of Information Technology & CSO

2. UVA Wise Vice Chancellor for Finance &
Administration/Chief Operating Officer (COO)

3. Chair or Head of appropriate business unit 

4. Business Owner

Department must provide a business justification for the procurement or continued use of the service.
This justification will be reviewed along with the risk analysis.
Medium

1. Health System CITO

2. Appropriate Service Line Chief/Administrator

3. Business Owner

1. Academic CIO

2. Executive Vice-President/Chief Operating
    Officer (EVP/COO)

3. Dean or VP of appropriate business unit 

4. Business Owner

1. UVA Wise Director of Information Technology & CSO

2. UVA Wise Vice Chancellor for Finance &
Administration/Chief Operating Officer (COO)

3. Chair or Head of appropriate business unit 

4. Business Owner

Department must provide a business justification for the procurement or continued use of the service.  
This justification will be reviewed along with the risk analysis.
Low

1. Appropriate Service Line Chief/Administrator

2. Business Owner

1. Academic CIO

2. Executive Vice-President/Chief Operating
Officer (EVP/COO)  or designee

3. Dean or VP of appropriate business unit 
    or designee

4. Business Owner

1. UVA Wise Director of Information Technology & CSO

2. UVA Wise Vice Chancellor for Finance &
Administration/Chief Operating Officer (COO)
or designee

3. Chair or Head of appropriate business unit
or designee 

4. Business Owner

 

[Table of Contents]

4.  Definitions

See the list of definitions for the Acceptable Use, Data Protection, Information Security, and Privacy & Confidentiality policies.

[Table of Contents]

5.  Related Links

[Table of Contents]

6.  Further Guidance

[Table of Contents]

7.  Exceptions

If you think you need to request an exception to these requirements, please refer to the Exceptions Process.

[Table of Contents]

APPROVER: CHIEF INFORMATION OFFICER