Third Party Security Risk Assessments
A third-party security risk assessment is required of any system or service, managed by a third party, that stores, processes, or transmits Ohio State institutional data classified as:
- S2 (Internal) (if that service or system contains an integration with another university system)
- S3 (Private)
- S4 (Restricted)
The purpose of the assessment is to identify risks of utilizing the cloud service and recommend controls that might mitigate or reduce these risks.
The Data Security & Privacy Addendum (DSPA) is available as an alternative to performing a third-party security risk assessment for an S2 system or service that has no integration with other university systems. If your unit/college chooses not to use the DSPA, please following the existing process of completing a third-party security risk assessment.
If you have any questions, please send an email to cio-itriskassessments@osu.edu.
What systems are in scope of a third party assessment?
The Information Security Control Requirements (ISCR) MGT1.1.2 control requires a risk assessment of specified cloud-based systems that host OSU data and are managed by a third party. This includes:
- New third party implementations
- Existing systems that have undergone a major change
- The university’s use of the system has changed.
The following are examples that would necessitate an assessment:
- A business area is seeking to subscribe to a cloud software service.
- A previous assessment was conducted for a cloud service, but now the use of the system has evolved, and the business unit is seeking to store a higher data classification.
- An assessment was conducted for a cloud service, and the business unit is now seeking to integrate with other systems.
- The cloud service was previously assessed and is listed on Cloud Assessment Registry, but another area is seeking to use it in a very different manner.
What information is needed to request an assessment?
For each assessment the Risk Management Team needs:
- A point of contact from the internal project team who can answer questions about how Ohio State intends to use the application;
- A point of contact with the vendor who can answer technical questions about the application; and
- The vendor’s Federal Employer Identification Number (EIN) also known as Federal Tax ID.
The Risk Management Team needs contacts who are willing and capable of answering questions about the system. Additionally, the use case and implementation plan must be well defined.
The person requesting the assessment is responsible for identifying contacts, as well as identifying who will be responsible for ensuring the Security Questionnaire is completed. The requestor is also expected to provide preliminary details about the use case, any deadlines and what type of assessment has already been completed or is planned.
Please note that this service only assesses the information security risks associated with online applications. The requester is still responsible for initiating contact with Legal Affairs, ADA and Purchasing.
What happens after I submit a request?
The request will be assigned to a member of the Risk Management Team. They will communicate with the vendor, Security Coordinator for the university area, and stakeholders.
Recommendations are made about how to best implement the application to minimize identified vulnerabilities.
A report is presented to the Assessment Working Group (AWG) which decides whether or not the level of risk is acceptable to the university. A detailed process map depicts the entire procedure.
How is a risk assessment requested?
ONLY IT Directors and Security Coordinators may request an assessment. This is to ensure that the IT staff are aware of the request.
- Login to ServiceNow.
- Click Order Services.
- Click IT Security Services
- Click on Third Party Risk Assessment
- Complete the requested information and click Submit
If you are unable to access or complete the request, please email the cio-itriskassessments@osu.edu for assistance.
What if the software must be implemented prior to assessment completion?
When an urgent business dictates the need to implement a cloud-based system prior to the completion of a third-party risk assessment, the business unit does have the option to temporarily accept risk for implementing the system. Please note that this does not eliminate the requirement for a risk assessment. A detailed process document depicts the entire procedure.
Resources