Third-Party Risk Management (TPRM) Review

Description

Information Security conducts a security assessment as the initial step in a multi-phase evaluation by the University before approving or onboarding a new vendor/third-party within Villanova University's environment. Our main goal is to ensure these entities are properly vetted and provide appropriate protections for Villanova's institutional data. This process, otherwise known as the Third-Party Risk Management (TPRM) Review, informs risk mitigation during the scoping and contracting phase, identifying additional contractual or technical/information security requirements and helping avoid unforeseen delays in engagement, implementation or onboarding.

To initiate this review, click on the Request Third-Party Risk Management (TPRM) Review button. This request can be submitted during any of the stages of engagement with a vendor or third-party, including, but not limited to, the following scenarios:

• New third-parties/vendors and an assessment of their security posture, practices and control environment.
• Current third-parties/vendors and an assessment of any changes to their security posture, practices and control environment. 
• Prior to renewal of an existing vendor, with expanded scope or addition of products/services (e.g. expanding to Restricted data classification or when a third-party requires expanded/privileged permissions or access to systems, applications, networks or IT infrastructure). 
• Operational risk review during the Project Management Office's Technical Review Architecture Committee (TRAC).
• Vendor selection such as during an Request for Proposal (RFP) or Request for Information (RFI) processes.

Audience

This service is available for faculty and staff members

Cost

None.

Requesting

To request a vendor review, create a ticket by clicking the "Request Third-Party Risk Management (TPRM) Review" button on this page.

Service Levels