Body
Summary
This article contains information about vendor information security, privacy considerations, and security assessment review (SAR) for USNH community members engaged with vendors involved with USNH information technology resources. The purpose is to guide USNH community members regarding vendors and/or third-party partners that provide products or services that integrate with the USNH network.
Content
Security Assessment Review (SAR)
When a third party manages, transmits, or stores sensitive or restricted information, the requestor should consult USNH Cybersecurity during contract negotiations to ensure the vendor provides appropriate assurances to ensure that information is adequately protected. Third-party hosted technology services, applications, systems, or products that will capture, access, store, process, or otherwise manage USNH institutional information must complete the Security Assessment Review (SAR) process. The SAR process requires vendors to demonstrate adequate information security controls and privacy protections to safeguard UNH's information appropriately.
To determine if a review is required, please submit a service request for a Security Assessment Review.
The SAR Process - Allow 4-6 weeks to complete this process
Generally, the following steps are involved in a security access review:
- Requestor opens a service request with USNH Cybersecurity Governance Risk and Compliance (GRC) to obtain an initial questionnaire to supply to the vendor.
- Upon review, Cybersecurity will issue the vendor either a HECVAT Full or a HECVAT Lite, depending on the classification of the information involved.
- Upon receiving the completed HECVAT, Cybersecurity will perform a review and make a recommendation. The Director of Cybersecurity GRC makes the final decision to approve or deny.
Tips
- Instruct the vendor to fill out the questionnaire responses as completely as possible. Incomplete or missing answers will cause delays in the review.
- The vendor must answer all questions; references to supplemental documents or links to company or other websites are not accepted.
- Ask the vendor to provide as much supporting documentation as possible; examples include copies of the vendor's information security program, business continuity plan, certifications or audit results, and user agreement/terms of use agreement
To obtain the current SAR documentation, open a service request to CyberSecurity.
Further Readings
Security Assessment Review Service
USNH Cybersecurity Services
Vendor Contract Language Review
Storing Restricted, Protected, and Sensitive Information @ USNH
Higher Education Community Vendor Assessment Toolkit
Need additional help?
To obtain the current SAR documentation, open a service request to CyberSecurity.
Visit the Technology Help Desk Support page to locate your local campus contact information or to submit an online technology support request. For password issues you must call or visit the Help Desk in person.