3rd Party Cloud Security Risk Assessments
Whenever the university is preparing to use new technology, it’s always a good idea to check and see if it needs a security assessment. The purpose of these assessments is to identify and diminish any significant risks when we work with a service provider who may transmit and/or store Ohio State institutional data. By identifying and documenting agreed upon risk mitigation actions (actions may be required by both the vendor and the Ohio State project team), we are able to significantly reduce the likelihood and impact of a security incident.
What needs to be assessed?
All third party applications that process or store institutional data that is hosted in an off premise datacenter, managed by a third-party, must undergo a risk assessment.
We don’t require all assessments to be performed by the Risk Management Team; a unit is free to perform an assessment on their own. However we offer this Third Party Risk Assessment service to all units to protect those who do not have the resources and/or expertise to assess vendors independently.
An application does not need to undergo multiple assessments unless there is a major upgrade or a significant change to how it is being used. The Cloud Assessment Registry is a database of previously-assessed third-party applications. If the application in question is already in this database and usage has not changed, no additional assessment is necessary. Please review the archived assessment report from the Risk Assessment Team to confirm, prior to implementing the application.
What is required?
For each assessment the Risk Management Team needs:
- A point of contact from the internal project team who can answer questions about how Ohio State intends to use the application;
- A point of contact with the vendor who can answer technical questions about the application; and
- A completed security questionnaire from the vendor. Please note: moving forward, questionnaires will be housed and completed within our new, interactive risk management plaform, RAMP.
The Risk Management Team needs contacts who are willing and capable of answering questions about the application. Additionally, the use case and implementation plan must be well defined.
The person requesting the assessment is responsible for identifying contacts, as well as identifying who will be responsible for ensuring the Security Questionnaire is completed. The requestor is also expected to provide preliminary details about the use case, any deadlines and what type of assessment has already been completed or is planned.
Please note that this service only assesses the information security risks associated with new online applications. The requester is still responsible for initiating contact with Legal Affairs, ADA and Purchasing.
What is the process?
When we receive the request and security questionnaire, we start our investigation. This process may include several discussions between the risk analyst, the project manager, the vendor and outside stakeholders. We make recommendations about how to best implement the application and minimize identified vulnerabilities. We document all of our findings in a report. We present this report to the Assessment Working Group (AWG) and the Security Advisory Board (SAB). The SAB decides whether or not the suggested remediation is adequate and if the level of risk is acceptable to the university.
You can see a detailed process workflow here.
IT Directors and Security Coordinators can request a copy of completed and archived assessment reports by emailing the Risk Assessment Team at CIO-ITRiskAssessments@osu.edu.
How can IT Directors and Security Coordinators may request this service?
- Login to ServiceNow
- Click Order Services
- Click IT Security Services
- Click Third Party Risk Assessment
- Fill out the required information and click Submit
If you are unable to access or complete the request, please contact the Risk Assessment Team for assistance.
*** Please note, once a request is submitted, the requestor and the vendor will be emailed links to complete questionnaires in the risk management platform, RAMP. We expect to have the completed security questionnaire completed shortly after. We cannot work on a request without a security questionnaire. We may cancel the request if a security questionnaire is not submitted within four weeks from request.