Request a Third Party Risk Management Assessment
We must protect Yale Data and IT Systems no matter where they are hosted. Sometimes, we use third party vendors (i.e. Cloud services) to host Yale Data and systems. The Third Party Risk Management (TPRM) service analyzes the risk of those vendors.
What is Third Party Risk Management?
TPRM identifies and analyzes cyber risks associated with outsourcing to third-party service providers. Yale uses this assessment to determine how to proceed with the vendor engagement.
The TPRM service provides insight into the security of the vendor’s environment. Effective use of these controls can reduce the likelihood of:
- data breaches
- operational failures
- non-compliance with regulatory requirements
When should I use the TPRM service?
The Third Party Risk Management (TPRM) service is currently available to all ITS staff. Any ITS Staff must use the TPRM service when either of the following conditions apply:
- They are using a vendor to host a High or Moderate Risk IT System
- They are giving a vendor access to High/Moderate Risk Yale Data or a High/Moderate Risk Yale IT System
For existing vendors, engage in the TPRM service during contract negotiations.
What should I expect from the TPRM process?
The TPRM process involves a Yale representative and the vendor being assessed. The process includes five steps:
- Yale representative requests a TPRM assessment.
- The vendor being assessed creates an account in the TPRM Platform.
- The vendor completes a TPRM assessment.
- Yale receives a cyber risk report. The Information Security Office (ISO) discusses the results with the Yale representative. This includes recommendations for proceeding with the vendor.
Step 1: Request a TPRM Assessment
The process starts by filling out a short survey. The survey will provide Prevalent (Yale's TPRM vendor) with the following information:
- Contact information for the vendor.
- Contact information for the Yale requester.
- The IT System Risk Classification
- Information on any applicable external obligations. This means any regulations associated with the data hosted or accessed by the vendor. Examples include HIPAA, FERPA, PCI. For more information, visit our external obligations page.
Step 2: The vendor being assessed creates an account in the TPRM Platform
The vendor being assessed will receive an email to create their own account. The email will come from Yale’s TPRM provider, Prevalent, and will resemble the sample email below:
Step 3: The vendor completes a TPRM assessment
Once the vendor has created an account, they will need to complete an assessment. The assessment is based on the Higher Education Cloud Vendor Assessment Tool (HECVAT).
Step 4: Review the Cyber Risk Report
Once this assessment is complete, you will receive a cyber risk report for the vendor. This report outlines any potential areas of cyber risk and provides a recommendation:
- Ok to Proceed
- Proceed if willing to accept outlined risk
- Should not proceed
Once the report is created, a member of the ISO will schedule a meeting with the Yale representative. This meeting is to discuss the results of the report and any potential concerns you may have.