UIS.501.4 Supplier Risk Assessment Guidelines

In support of UIS.501 Vendor Security Policy

Georgetown University has adopted the security audit and accountability principles established in NIST SP 800-53 “Risk Assessment” guidelines as the official policy for this security domain. Each departmental technology requisitioner, sponsor, administrator, steward and owner must adhere to the guidelines and procedures associated with this policy in order to support and be compliant with the University information security framework.  

Supplier risk assessments must take into account risks posed to University operations, assets, or individuals from third-party technology vendors including but not limited to the following:

  • Special academic, environmental, political, social, or other activities where the University is host, participant, sponsor or likewise associated 
  • Contractors operating information systems on behalf of the University,  
  • Individuals or other systems accessing the University’s information systems, and, 
  • Outsourced technology solutions, suppliers, vendors, and service providers 

Vendor Risk Assessment Requirements  

Third-party technology vendors that are processing, storing, or transmitting the University’s information or operating information systems on behalf of the University must be approved and authorized by UIS.

  1. Technology vendors must be submitted for UIS technical review before executing new or renewing contracts or agreements with the University.
  2. UIS conducts technical review to assess the technical fitness and security compliance of the new or continuing product or service. Technical reviews include, but is not limited to:
    • Analysis of supplier processes used to design, develop, test, implement, verify, deliver, and support information systems, system components, and information system services 

    • Assessment of the vendor’s security capability and compliance with University standards

    • Whether primary suppliers have security safeguards in place and a practice for vetting subordinate suppliers, for example, second- and third-tier suppliers, and any subcontractor. 

  3. UISO assesses the technology vendors based on the results of technical reviews.
    • Results of supplier security assessments are documented and communicated with requested University departments. 

  4. All approved information technology-related agreements must include UIS contract language that requires technology vendors to provide as attestation to their security posture, in the form of a successful UIS technical review/assessment or an industry-recognized third-party assessment report (e.g. SOC 2 Type 2, SSAE18)