Higher education institutions, like colleges and universities, often work with dozens of third-party vendors, which can introduce considerable security risks if the school doesn't maintain a proper Vendor Risk Management (VRM) program. Compromised third parties can pose serious risks to universities, which can expose sensitive data, disrupt business continuity, or incur serious financial damages.
Schools must learn how to identify and assess security risks so they can begin the vendor risk management process as early as possible. This article will discuss how colleges and universities can reduce their vendor-related security risks and begin to build better third-party risk management processes.
What are Vendor-Related Security Risks for Colleges & Universities?
Vendor-related security risks are any form of risk that is involved when working with vendors, suppliers, or service providers that could result in security breaches, disruption of business operations, monetary loss, or exposure of sensitive information and personally identifiable information (PII). When schools decide to onboard or partner with a third party, it creates many new attack vectors and vulnerabilities for threat actors to exploit.
Common security risks that can affect vendors include:
- Software misconfigurations
- Cloud leaks
- Ransomware attacks or phishing attempts
- Password hacking
- Bad strategic decision-making
- Regulatory compliance failure
- Supply chain disruption
It's important for schools to implement vendor management solutions to minimize third and fourth-party risk. However, managing vendor security risks can be time-consuming, costly, and complicated if done manually or without the right security framework in place.
Without a proper VRM solution, higher ed schools put themselves at risk of potential data breaches or cyber attacks, which may also violate various regulatory compliance standards, such as NIST SP 800-171, Gramm-Leach-Biley Act (GLBA), Payment Card Industry Data Security Standards (PCI-DSS), and the Family Educational Rights and Privacy Act (FERPA), among many others.
Learn more about vendor risk management (VRM) >
Reducing Vendor-Related Security Risks in Colleges & Universities
To reduce vendor-related security risks, schools must implement a system of safeguards and security controls as part of their VRM solution. Examining security practices, cyber threat prevention, authentication processes, and defining access privileges are all important steps to take in addition to managing the vendors themselves.
Learn why vendor risk management (VRM) is important >
1. Conducting Vendor Risk Assessments
Vendor risk assessments allow colleges and universities to properly assess the cybersecurity risks and overall security posture of their vendors. Risk assessments are essential when deciding whether or not to work with certain vendors by verifying if they have implemented proper information security and data protection processes. If potential vendors don't meet security requirements during the procurement stage, it's up to the university to determine if the vendor's risk profile is worth taking on.
One of the main vendor risk assessment tools developed for higher education schools is the HECVAT (Higher Education Community Vendor Assessment Tool). HECVAT was designed by a group of CISOs in the education sector to help IT security teams better assess third-party vendor risks and if they have adequate data security, incident response plans, and security policies in place before the onboarding process.
HECVAT is composed of a series of security questionnaires that shorten the assessment period and lower the burden on security teams by allowing self-completion. Once completed, schools can prioritize remediation for vendors using vendor tiering. Vendor tiering categorizes vendors by risk impact levels (low, medium, high, critical) and helps streamline the development of a VRM strategy.
In addition to HECVAT, colleges and universities may also use other risk assessments or questionnaires to determine third-party security and regulatory compliance, like:
- SOC 2 Audits
- NIST SP 800-171
- Standardized Information Gathering (SIG)
- ISO Compliance Audits
Learn about third-party risk assessment best practices >
2. Establishing a Cybersecurity Framework
As part of a VRM solution, VRM programs can help establish a security framework for universities and their vendors. Security frameworks provide recommended security guidelines, standards, and best practices for organizations to implement in their risk management processes. Cybersecurity frameworks also give structure to the school and its VRM program by defining:
- Security personnel roles and responsibilities
- Incident response plans
- Cyber threat mitigation and remediation policies
- Reporting processes to breached users and stakeholders
- System security plans (SSPs)
- Traffic and activity monitoring protocols
- Physical and digital asset classification
Standardizing security frameworks and defining security requirements across all vendors enables a more consistent approach to data security practices to protect against hackers and cybercriminals.
3. Managing Vendor Relationships
Universities can work with dozens of vendors simultaneously, making the vendor relationship management process one of the most important steps to reducing vendor risk. Whether the vendor is a small, independent contractor or a large supplier account, overseeing each individual vendor and managing the relationship is part of the due diligence process and helps improve the vendor's risk management efforts.
Communication with vendors is the most important element for ensuring they consistently meet security standards. Additionally, ongoing assessments evaluate crucial factors like:
- How the vendor fits into the future goals of the school
- Cost evaluations
- Contractual agreements
- Annual risk assessments
- KPI readjustments
- Continual cybersecurity education and training for staff
As part of their overall VRM plans, schools should also document key vendor information and outline agreements to be put in the contract. By doing so, both parties can ultimately set clear objectives for the future and nurture a stronger relationship by identifying key indicators of strong vendor performance. This process can be assisted with checklists, compliance teams, legal teams, and external auditors to ensure the VRM plan is followed through on both ends.
4. Improving Vendor Maturity
As VRM programs begin to scale and grow, the cyber maturity of vendors must also grow with it. Using a vendor risk management maturity model (VRMMM), schools can begin measuring their own vendor cyber resiliency growth over time. A VRMMM is part of an ongoing process of improving overall vendor maturity and security hygiene as both sides begin to grow. A maturity model should include specific steps and milestones for the school to attain and measure its third-party security controls.
Typically, a vendor maturity model is categorized into six different levels:
- Startup-level, no VRM processes in place
- Initial security processes are in place and VRM processes are used on an ad hoc basis
- Clear roadmap for VRM implementation and increased ad hoc activity
- Fully defined and established VRM solutions
- Complete implementation and operational VRM, framework, and compliance measures
- Continuous improvement of industry-leading VRM performance
Schools must consistently improve their own third-party vendor maturity levels as a crucial step to limiting vendor-related security risks. The VRMMM should provide a complete overview of the school's approach to their VRM solutions and allow the school to set goals for themselves to make repeated improvements yearly.
Learn about the top security flaws in the higher education sector >
How UpGuard Can Help Schools Reduce Vendor-Related Security Risks
UpGuard Vendor Risk can quickly detect third-party data leaks, identify vendor risks from security questionnaires, and streamline remediation plans using real-time data. The UpGuard integrated platform generates instant vendor security ratings and executive reporting to help security teams better manage the third-party attack surface.
