Third-Party Vendor Security Review

Description

The Office of Information Security (OIS) conducts a security assessment as the initial step in a multi-phase evaluation by the University before approving or onboarding a new vendor/third-party within Villanova University's environment. Our main goal is to ensure these entities are properly vetted and provide appropriate protections for Villanova's institutional data. This process, otherwise known as the Third-Party Risk Management (TPRM) review, informs risk mitigation during the scoping and contracting phase, identifying additional contractual or technical/information security requirements and helping avoid unforeseen delays in engagement, implementation or onboarding.

To initiate this review, click on the Request Third-Party Vendor Security Review button. This request can be submitted during any of the stages of engagement with a vendor or third-party, including, but not limited to, the following scenarios:

• New third-parties/vendors and an assessment of their security posture, practices and control environment.
• Current third-parties/vendors and an assessment of any changes to their security posture, practices and control environment. 
• Prior to renewal of an existing vendor, with expanded scope or addition of products/services (e.g. expanding to Restricted data classification or when a 3rd party requires expanded/privileged permissions or access to systems, applications, networks or IT infrastructure). 
• Operational risk review during the Project Management Office's Technical Review Architecture Committee (TRAC).
• Vendor selection such as during an Request for Proposal (RFP) or Request for Information (RFI) processes.

Eligibility

This service is available for faculty and staff members

Cost

None.

How to Access and Use

To request a vendor review, create a ticket by clicking the "Request Third-Party Vendor Security Review" button on this page.

Service Levels