Architecture and Security Risk Review
Purpose
The Architecture and Security Risk Review (ASR) at Trinity College is designed to evaluate and manage risks associated with third-party vendors. This process ensures that any external entity handling Trinity College’s data complies with our security and privacy standards, safeguarding the confidentiality, integrity, and availability of our information.
Why It Matters
Engaging with third-party vendors introduces potential risks to the institution’s data and information. It’s imperative to assess these risks before entering into any agreement with a vendor who will handle Trinity College data—whether by using, processing, storing, or transmitting it. This review helps identify potential vulnerabilities and ensures the vendor meets the necessary security standards, protecting the institution and its data.
Key Definitions
- Third-Party Vendor: An external company, individual, or service provider that offers products, services, or software interacting with, storing, processing, or transmitting Trinity College data.
- Business Unit Sponsor: The individual within a department or business unit who initiates the request to purchase a product, service, or software. The sponsor ensures the product aligns with the unit’s goals and coordinates the procurement process, including necessary assessments and approvals.
- Sensitive Data: Any information protected by law or institutional policy due to its confidential or private nature, such as personally identifiable information (PII), financial records, medical data, and academic records.
- LITS IT Procurement and Business Services: The departments responsible for overseeing the procurement process, evaluating potential vendors, and ensuring that technology services, software, and hardware meet Trinity College’s institutional standards and security requirements.
How the Process Works
The process begins when a business unit or department identifies the need for a third-party product, service, or software. If the product involves processing, storing, or transmitting Trinity College’s data, it should not be purchased or committed to until the need is reviewed and confirmed as unique.
Upon identifying the need, the business unit sponsor contacts the LITS IT Procurement and Business Services to initiate the risk assessment process. This involves completing a Third-Party Vendor Risk Assessment Questionnaire and submitting any relevant documentation.
The submitted materials are reviewed by the Information Security Office (ISO) to assess potential risks associated with the vendor. This evaluation considers factors such as data handling practices, security measures, compliance with relevant regulations, and the vendor’s overall security posture.
Based on the assessment, the ISO provides recommendations to mitigate identified risks. These may include contractual clauses, security controls, or alternative solutions to address potential vulnerabilities.
Once all risks are addressed and mitigated, the vendor engagement can proceed. The business unit sponsor, in collaboration with LITS IT Procurement and Business Services, finalizes the procurement process, ensuring all necessary approvals are obtained.
Engage in the Third-Party Vendor Risk Assessment whenever selecting a new technology vendor, entering into a contract, integrating third-party products or services into existing systems, or handling sensitive or regulated data with external providers.
Submit a RequestPlease Note: Departments must ensure that any technology product or service involving the transmitting, accessing, or storing of customer information subject to the Gramm Leach Bliley Act (GLBA), as well as all technology additions, major architecture changes, and updated contract terms, must go through an ASR. The GLBA applies to the college in connection with financial activities. Customer information is any record containing non-public personal information about recipients of college, whether in paper, electronic, or other form, that is handled or maintained by or on behalf of the college.
