Assess the Risk of a Third Party Vendor

If a vendor is providing services or gaining access to Yale data or technology, Yale ITS will run them through the Third Party Risk Management (TPRM) Process. The Third Party Risk Management (TPRM) service pilot is available to all Yale ITS staff and will run through September 2019.  

What is Third Party Risk Management Pilot? 

The Third Party Risk Management (TPRM) service is designed to assess the risk which is associated with the use of a particular vendor or vendor-provided service at Yale.  The service will assess the vendor by considering business health, credit risk, and information technology security controls to provide qualitative analysis regarding the general level of risk that Yale would carry related to working with a particular vendor.  

Why does Yale need Third Party Risk Management? 

The TPRM service will provide insight into a vendor’s operations which may not be captured through traditional information gathering activities.  The level of insight provided goes above and beyond standard information gathering questionnaires, and will tailor the information gathered to the line(s) of business which is being served and the risk classification of the data that is shared with the vendor. 

What should I expect? 

Requestors are asked to fill out a short Qualtrics survey that will provide the Information Security, Policy, and Compliance (ISPC) team with the following:

  1. General contact information for the vendor (local representation is acceptable)
  2. Contact information for the requestor
  3. Information on the risk classification associated with the data or technology the vendor will have access to. 
  4. Information on any applicable regulations which are tied to the data which is being shared with the vendor (e.g. HIPAA, FERPA, PCI, etc.)

Once the vendor assessment process completes, the requestor will receive a risk assessment report for the vendor, highlighting any areas of concern. 

Typically, the overall vendor evaluation process will take two weeks; however, this estimate can be impacted by the responsiveness of the vendor being assessed. 

How do I initiate the Third Party Risk Management process? 

Navigate to the Third Party Risk Management request form here.

Ask for Help 

For questions or concerns about the Third Party Risk Management process, contact the Information Security, Risk and Compliance team at