The purpose of a third-party security risk assessment is to identify risks of utilizing a cloud service and establish a risk treatment plan to reduce or mitigate these risks. Documentation regarding the Third-Party Security Risk Assessment service is available in our Knowledge Base.
If you have any questions, please send an email to RiskMgmt@osu.edu.
What systems are in scope of a third party assessment?
The Information Security and Privacy Control Requirements (ISPCR) MGT1.1.2 control requires a third-party security risk assessment is performed on any cloud-based system or service, managed by a third-party, that stores, processes, or transmits Ohio State institutional data classified as S2 (Internal), S3 (Private), or S4 (Restricted).
What information is needed to request an assessment?
We have documented assessment request requirements for your reference. At a high level, you will need system purpose, contact information for the sponsor and vendor, what data types are handled, and any system integrations.
How is a risk assessment requested?
If your software request is submitted to the Workday Software Pre-Approval Process, a risk assessment will be initiated through that request. Otherwise, details on how to request a risk assessment are documented online. We recommend communicating with your area’s IT Security Coordinator for assistance.
What happens after I submit a request?
The DST Risk Management team will review the assessment request, review if the vendor has been previously assessed, and engage in communication with the vendor if necessary. The requesting area’s IT Security Coordinator will be kept up to date on the status of the assessment.
Once the assessment is complete, a risk treatment plan will be developed and shared with the area’s IT Security Coordinator, the project sponsor, and any other stakeholders to reduce or mitigate the risk presented by this system to enable university acceptance of the risk.
What if the software must be implemented prior to assessment completion?
When an urgent business dictates the need to implement a cloud-based system prior to the completion of a third-party risk assessment, the business unit does have the option to temporarily accept risk for implementing the system. Please note that this does not eliminate the requirement for a risk assessment. The Technology and Information Exceptions and Risks (TIER) process is to be utilized in this situation. Reach out to your area’s IT Security Coordinator for assistance.
Resources
Contact
Email: RiskMgmt@osu.edu