Skip to main content

Third Party Risk Management (TPRM) Service

tprm stuff

Request a Third Party Risk Management Assessment

We must protect Yale Data and IT Systems no matter where they are hosted. Sometimes, we use third party vendors (i.e. Cloud services) to host Yale Data and systems. The Third Party Risk Management (TPRM) service analyzes the risk of those vendors.

Request a TPRM Assessment

What is Third Party Risk Management?

TPRM identifies and analyzes cyber risks associated with outsourcing to third-party service providers. Yale uses this assessment to determine how to proceed with the vendor engagement.
The TPRM service provides insight into the security of the  vendor’s environment. Effective use of these controls can reduce the likelihood of:

  • data breaches
  • operational failures
  • non-compliance with regulatory requirements

When should I use the TPRM service?

The Third Party Risk Management (TPRM) service is currently available to all ITS staff. Any ITS Staff must use the TPRM service when either of the following conditions apply: 

  • They are using a vendor to host a High or Moderate Risk IT System 
  • They are giving a vendor access to High/Moderate Risk Yale Data or a High/Moderate Risk Yale IT System 

For existing vendors, engage in the TPRM service during contract negotiations.

The TPRM process usually will take less than one month. This estimate depends upon the responsiveness of the vendor.

What should I expect from the TPRM process?

The TPRM process involves a Yale representative and the vendor being assessed. The process includes five steps: 

  1. Yale representative requests a TPRM assessment. 
  2. The vendor being assessed creates an account in the TPRM Platform.
  3. The vendor completes a TPRM assessment. 
  4. Yale receives a cyber risk report. The Information Security Office (ISO) discusses the results with the Yale representative. This includes recommendations for proceeding with the vendor. 
tprm 2nd

Step 1: Request a TPRM Assessment 

The process starts by filling out a short survey. The survey will provide Prevalent (Yale's TPRM vendor) with the following information: 

  1. Contact information for the vendor.
  2. Contact information for the Yale requester.
  3. The IT System Risk Classification 
  4. Information on any applicable external obligations. This means any regulations associated with the data hosted or accessed by the vendor. Examples include HIPAA, FERPA, PCI. For more information, visit our external obligations page.

Request a TPRM Assessment 

Step 2: The vendor being assessed creates an account in the TPRM Platform 

The vendor being assessed will receive an email to create their own account. The email will come from Yale’s TPRM provider, Prevalent, and will resemble the sample email below:tprm vendor email


Step 3: The vendor completes a TPRM assessment 

Once the vendor has created an account, they will need to complete an assessment. The assessment is based on the Higher Education Cloud Vendor Assessment Tool (HECVAT).

Step 4: Review the Cyber Risk Report 

Once this assessment is complete, you will receive a cyber risk report for the vendor. This report outlines any potential areas of cyber risk and provides a recommendation:

  • Ok to Proceed 
  • Proceed if willing to accept outlined risk
  • Should not proceed

Once the report is created, a member of the ISO will schedule a meeting with the Yale representative. This meeting is to discuss the results of the report and any potential concerns you may have.

How do I start a Third Party Risk Management Request?

Use this link to navigate to the Third Party Risk Management request form.

Need help?

For questions about the TPRM Service, contact the ISO. Email us at