Third-Party Risk Management Assessment
Third-Party Risk Management (TPRM) helps ensure that a vendor has a reasonable security program capable of protecting Yale’s data and systems at the appropriate risk level.
What is TPRM at Yale?
Yale uses an industry standard third-party assessment tool called HECVAT. The assessment helps us make risk-based decisions about the vendor’s ability to protect data and systems from:
- Data breaches
- Operational failures
- Compliance and regulatory issues
When should I use the TPRM?
TPRM is part of the Security Planning Assessment (SPA) process for moderate and high-risk vendor systems. Information Security staff will launch the assessment when needed.
What do I get from TPRM?
You will receive a scored report with either “OK to proceed” or “Risks must be addressed.” If the report shows that the vendor poses significant risk that they cannot or will not fix, you can either choose a different vendor or work with the Information Security Office (ISO) to register risk acceptance through the security exception process.