Implementing Executive: Vice Chancellor and Chief Information Officer

Responsible Unit: Pitt Information Technology

Category: Information Security

Effective Date: June 1, 2023

Purpose

The University routinely engages with outside businesses or service providers (Vendors) to help pursue its mission. Entrusting Vendors with data about the University and members of the University community carries risks that can have a detrimental impact if proper security precautions are not in place. Pitt IT Information Security, working with the Cooperating Authorities listed below, has implemented this Vendor Security Risk Assessment policy to ensure that Vendor security practices are consistent with the security risks their products or services may carry. Proactive assessment and management of Vendor security controls ensures that sensitive personal and University information is given to Vendors only when proper security controls are in place.

Proper Vendor Security Risk Assessments will help reduce the likelihood or mitigate the impact of harm relating to:

• Failure by Vendors to protect information of students, faculty, staff, parents, research participants, alumni, donors, ticketholders, or anyone else who trusts the University to protect information the University holds about them.
• Damage to the University’s reputation because of a system breach or loss of data hosted or managed by a Vendor.
• Intrusion into University systems due to Vendor’s failure to monitor and control its use of access to University systems.
• Costs incurred by the University for notification of security breaches, credit monitoring services, call center staffing to handle inquiries, and legal fees the University might incur.
• Impairments to the University’s daily operations and inability to fully provide vital services through incidents such as ransomware attacks or theft of data.

This policy formalizes a longstanding set of University business practices.

Scope

This policy applies to all University of Pittsburgh purchases or uses of information technology products and services including Artificial Intelligence (AI) originating from any campus or University location from Vendors, including all products that store or use University data and/or end-user personal information.

Policy

University purchasers must request a Vendor Security Assessment prior to purchasing goods or services that are IT-related or involve University data including research data and personal information about individuals affiliated with the University. Purchasing Services will direct the purchaser to initiate the assessment process if it has not been requested and completed before the purchase is initiated. 

Once the purchaser completes the questionnaire, Pitt IT Security will contact the Vendor for details about their information security programs and practices. The discussions may be complex depending on the potential risks involved. Generally, the greater the risk, the more complex the security review process will be as the University is required to comply with various laws and regulations including, but not limited to, FERPA, FISMA, GLBA, and HIPAA. The University must therefore require its Vendors to demonstrate compliance with all applicable laws and University policies before and during their engagement to provide the University community with products and services.

Vendors of products and services that pose significant risks to the University community will undergo annual reassessments to ensure continuing compliance.

Noncompliance

Failure by purchasers to request a security review or lack of cooperation by Vendors in the security review process may result in significant delays in the acquisition of needed products or services. Reviews conducted after a purchase could result in the cancellation of contracts or the return of products found to be noncompliant with security standards and best practices. The purchaser is responsible for providing accurate and complete service and product information, as well as Vendor contact information when completing the Vendor Security Request Form via the link above.

Contact Information

This policy is posted to the Policies section of the Information Technology website and can be found at https://www.technology.pitt.edu/it-policies-and-standards.

Cooperating Authorities

Purchasing Services, Office of the Chief Financial Officer

Office of Risk Management

Office of Compliance, Investigations, and Ethics

Related Policies and Additional Information

Pitt IT Security

• Data Risk Classification and Compliance

University Policies Relating to Data Security

• University Administrative Computer Data (UACD) Security and Privacy AO 35
• Use and Management of Social Security Numbers and University Primary ID (UPI) Numbers CS 23
• Payment Card Handling and Acceptance FN 16
• Health Insurance Portability and Accountability Act CS 30
• Access to and Release of Education Records Act AC 04
• Computer Data Administration AO 10