Requesting a Vendor Risk Management (VRM) Review

As part of the procurement process, be sure to include the Office of Information Security in the sourcing phase of any effort to acquire information technology services, hardware, or software. Information Security must be consulted for both free and paid services. This is done by requesting a Vendor Risk Management (VRM) Review.

How do I include Information Security in the process?
Why should I include Information Security in the process?
What types of information may I be asked to provide for the security review?
How do I know if a vendor/solution has been approved?
What do I need to do after a vendor/solution has been approved?

How do I include Information Security in the process?

Submit a short form to Request a VRM Review from Information Security, or send an email to Information.Security@dartmouth.edu. 

When submitting a request, make sure to indicate any contacts from procurement and the requesting Dartmouth department/team that should be included on any updates for the Information Security review.

Acquiring an information technology resource will entail agreeing to contractual terms and conditions. The contract could be as simple as an online 'click-through' agreement where you say "I agree", or as detailed as a lengthy document resulting from months of negotiations between Dartmouth and the vendor. In every scenario, Information Security should be contacted well before you accept any terms or agreement that binds Dartmouth.

Why should I include Information Security in the process?

Dartmouth's experts can evaluate security risks related to a vendor or service.  Areas of review commonly include:

• information technology resource being acquired
• Dartmouth systems impacted by the resource
• sensitivity of data involved
• the vendor's response to potential data breaches
• the vendor's Service Level Agreement

What types of information may I be asked to provide for the security review?

• Details of the proposed contract between Dartmouth and the vendor
  • A copy of the vendor's Service Level Agreement (SLA).
  • A copy of the applicable Statement of Work or Scope of Work (SOW).
• A description of the Dartmouth data that will be stored, processed, or transmitted.
  • Examples of Dartmouth data include student/faculty/staff contact information, financial transactions, video recordings, research data, emails, and class work.
• DISC Classification of the data you described above. The Dartmouth Information Security Committee (DISC) developed the Data Security Levels listed below to help classify data accurately and ensure appropriate security measures are implemented. For more information, please see the Dartmouth Information Security Policy and A Practical Guide to DISC Classification.
  • Level 0 - Data meant for public disclosure is defined as Level 0.
  • Level 1 - Data with no confidentiality classification, but not intended for public disclosure, is considered Level 1 data. This is general business data for use within Dartmouth, and protected at a baseline level of control (available to the Dartmouth community via authenticated IT access, or authorized physical access to Dartmouth facilities).
  • Level 2 - Data classified as level 2 are data which can only be shared with individuals deemed to have a 'need to know' as defined by the data owner.
  • Level 3 - Data classified as level 3 are data classified as strictly confidential, requiring the highest level of sensitivity. This includes FERPA data, personally identifiable information (PII), personal health information (PHI), credit card information (PCI), among others.
• For anything above DISC Level 1, procurement should request for the vendor to complete one of the following security questionnaires prior to submitting a vendor risk management review request to Information Security:
  • Higher Education Community Vendor Assessment Toolkit (HECVAT) - The preferred questionnaire framework, this was specifically designed for higher education to measure vendor risk. There are three main versions of the HECVAT that we might ask you to have vendors complete (please note that clicking the below links will automatically download the document)
    • HECVAT - Full: Robust questionnaire used to assess the most critical data-sharing engagements. Preferred for vendors/solutions where sensitive data, e.g. credit card information or PII (Personally Identifiable Information)
    • HECVAT - Lite: A lightweight questionnaire used to expedite the process
    • HECVAT On-Premise: Unique questionnaire used to evaluate on-premise appliances and software operated exclusively by Dartmouth employees. Not to be distributed to vendors but instead completed internally.
  • Vendor Security Self-Assessment (VSSA) - A legacy security assessment, only recommended for established vendors who have previously completed this form. This workbook contains Dartmouth's control objectives which are based on the College's implementation of the ISO standard 27002.  
• Additional application security and data protection documentation may also be requested, including one or more of the following. 
  • System and Organization Controls (SOC) Reporting - designed to build trust and confidence in a vendor's services through a report by an independent Certified Public Accountant (CPA)
    • SOC 2 Type 2 - restricted use reports, often require a signed Non-Disclosure Agreement (NDA) for release
    • SOC 3 - general use reports that can be distributed freely, should not require a signed NDA for release
  • ISO 27001 - a vendor can be certified against the ISO 27001 standard and therein show its customers that it safeguards their data
  • Attestation of Compliance (AoC) - document certifying an organization's compliance with PCI DSS (i.e. credit card or other payment data).
  • Vendor Data Processing Agreement (DPA) - GDPR compliance requires a data controller to sign a data processing agreement with any party that acts as data processor on its behalf.  A data processing agreement is a contract that states the rights and obligations of each party concerning the protection of personal data.
  • Other Data Security Documentation - examples include vendor security White Papers, and product information data sheets

How do I know if a vendor/solution has been approved?

• Once a vendor evaluation has been submitted by Information Security, this indicates that the Dartmouth department is cleared to move forward with the requested vendor/solution. If any additional documentation or information is required before approving a vendor, Information Security will address this prior to submitting a vendor evaluation.
• A vendor evaluation will include the following:
  • Context - any contextual information relevant to review
  • Vendor Review - details of the assessment
  • Documents Reviewed - list of documents reviewed as a part of the assessment
  • Recommendations - list of recommendations for implementation by the Dartmouth department or team that is making the purchase.
    • These recommendations act as guidelines for potential risks and how they can be addressed. 
    • If the associated Dartmouth department is not included on the review, the procurement contact should pass these recommendations on to the appropriate department contacts.
    • Send an email to Information.Security@dartmouth.edu if you need additional advice on how to implement these recommendations. 

What do I need to do after a vendor/solution has been approved?

• The recommendations in the vendor evaluation will indicate if there are any items that may require additional follow-up in the future. Though Information Security is here to help with any questions, it is on the Dartmouth department that is making the purchase to determine how and when to implement these recommendations.
• The status of the ticket will be changed to "Closed" to indicate that the vendor or solution has been approved.
• Please comment directly on the ticket if you need it to be reopened for additional questions or concerns.