Scenario

When one of the university’s service providers suffered a data breach that exposed health information for several thousand students, Taylor saw an opportunity to make lemonade from an unfortunate circumstance. From his position in the institution’s IT department, Taylor had long advocated for a strong, formal program to evaluate the risks posed by third-party providers. His appeals had gone largely unheeded, though, caught between resistance from senior leaders about the cost for such a program and opposition from faculty—and sometimes students—who were loath to forgo certain technology tools and services if the service provider couldn’t pass a risk assessment. And yet when word of the breach got out, the students were angry and the administration wanted answers.

In this case, the student health center had implemented a third-party application that allowed students to submit family medical histories and information about their own health and stress levels to a service that triangulated those data with grades and other university-provided measures of engagement. The service would then provide students with weekly personalized recommendations about lifestyle practices that could improve their physical and mental health. Only students who opted in to the program were included, and the data were confidential…until the breach.

Seeing firsthand the consequences of insufficient attention to third-party risk management (TPRM), the campus community was suddenly on board. Taylor was charged with establishing TPRM policy, processes, and standards, and he assembled a small group from various units across campus, including legal counsel, regulatory compliance, IT, and the faculty senate. They began the arduous process of developing a full inventory of third-party products and their uses. What quickly became clear was that there were too many third-party products and services already deployed and too many more in the queue to perform an exhaustive review of each one. The group established guidelines for reviewing existing and new tools,

https://www.researchgate.net/publication/383499944_Lesson_SAP_C_S4EWM_2023_Dumps_PDF-Pass_Your_Test_with_Real_C_S4EWM_2023_Exam_Dumps?_sg=wjvBVV37sxGeUcVBog5ri1tM0U17W4fxCU13ONlqepm8dxXSbew6umUQvqbGVsDYkjpdPA2ritTTx2yOjVZoYJPTKcnQI00IS33Rz5a1.CGE71jqxiHY2Yq_oJxwYb9mlTLtmV70bPhX71e8f5xMgLNs9xR5YbO7QX1LF3TBo3ZpxO4VmFt332NloQ222DA&_tp=eyJjb250ZXh0Ijp7ImZpcnN0UGFnZSI6ImhvbWUiLCJwYWdlIjoiX2RpcmVjdCJ9fQ

https://www.researchgate.net/publication/383500033_Lesson_SAP_C_WZADM_2404_Dumps_PDF-Pass_Your_Test_with_Real_C_WZADM_2404_Exam_Dumps?_sg=HmiZOACFcjALLnz3IYZM1l55fyBYtkj9fEeak6qlKFARuN8xyvI0ybSSbykMdJ3T5JIJ0I7xcStToSe-WmKmP2fpNeUG4HX-qBjX5o6A.Tu0O68ixcZHbZ31pFwD9lwCBwPMXZF-ppKGeMvbITJwCV7DqSRair9qvLKF1__EDBdUfFDHwvNlhAuE_I92mqQ&_tp=eyJjb250ZXh0Ijp7ImZpcnN0UGFnZSI6ImhvbWUiLCJwYWdlIjoiX2RpcmVjdCJ9fQ

https://www.researchgate.net/publication/383500035_Lesson_SAP_C_ACTIVATE22_Dumps_PDF-Pass_Your_Test_with_Real_C_ACTIVATE22_Exam_Dumps?_sg=wrtRdtMX7Db6ay2YbBGmtCfVGE-0Bc2y4X4qMODiGKfO5OBs0dVVtfVC0bpHZ1r6aGb_lmKPFA_WRTauX4lIvMdyWEDK3DPOhwAp6sQJ.pwTOv34O71VcNOyGYShLRqNACdNvzBD28cEOr-dRW3kktUjdBYMhcEM4jfLn_tK7Cs9GcU4a0DufF3cxFIl3kw&_tp=eyJjb250ZXh0Ijp7ImZpcnN0UGFnZSI6ImhvbWUiLCJwYWdlIjoiX2RpcmVjdCJ9fQ

https://www.researchgate.net/publication/383499871_Certscloud_Release_Updated_SAP_C_ARP2P_2404_Dumps_With_Verified_Questions_And_Answers?_sg=rheZkbz_cE1H3s_mAUcNeIiVatYmlKU9F3RAxo78lQzTwYzssHRtj-6mzjLb24-bJkpydVMn1vPCTHnO_s1CDCbLL6rsT13l0dDEUFIY.5VvO2jPc2LS-wEI5E8RxVHpa4Q1eALri5DF9r9yMda3Cm0-VxZhIQiswoHORqfqRP0Zdqwh2pNmDFaRJYLQvOg&_tp=eyJjb250ZXh0Ijp7ImZpcnN0UGFnZSI6ImhvbWUiLCJwYWdlIjoiX2RpcmVjdCJ9fQ

https://www.researchgate.net/publication/383500036_Download_C_TS462_2022_Exam_Dumps-Pass_with_Real_SAP_Specialist_C_TS462_2022?_sg=EA1GIh74uthnPKHi4z5KW7rg6MYGhSvyJTOqPTLBBq6ZrR0yft9h7BfyVlet69_UlknaYHLmFbegRIA_KrL0wvf3WRtMU-uefTvRoxPv.lALrWiEllb91tA-HO_C0YJgaXBty2TYsjmY6ouf_kt4rPMwkwPOCfbZzO8IbPnCyYiq-iV09qGpEPqNq9dkE-A&_tp=eyJjb250ZXh0Ijp7ImZpcnN0UGFnZSI6ImhvbWUiLCJwYWdlIjoiX2RpcmVjdCJ9fQ

https://www.researchgate.net/publication/383499685_Certscloud_Release_Updated_SAP_C_TS411_2021_Dumps_With_Verified_Questions_And_Answers?_sg=BWOjM3cbRI2UtnjX8xT5Psjd3wAhM5nUeri3gEHElivHlHPVAaz30JNIHEt9ban2tZ75lPmLx124scpILjRVr_up1b-2gdSVveZ4WBll.McVm93ikayFp6hp4xOOPA5P7lec-egQEKBMF5iVdWKbYBgXxtFI15ln8MOrGmAVPRlFam2tu5zfvUoo9vXMFyQ&_tp=eyJjb250ZXh0Ijp7ImZpcnN0UGFnZSI6ImhvbWUiLCJwYWdlIjoiX2RpcmVjdCJ9fQ

https://www.researchgate.net/publication/383499882_Download_C_C4H450_21_PDF_Dumps-Pass_with_Real_SAP_Systems_C_C4H450_21?_sg=VL1i_NoxLN-kBYUMu052_-MvrBdlrC2-Pzt9np1QLmxYcezhgceBs2xHETXiuaib2EsMirGb2sDC3hpkeTPRVDWBTnQZlkfpDxgjr0yn.opIwI81HiRor3KXhN84x_3ly39wFxt4Z31ZnGOwZaN-3EK-TCCgxswzi4x-lipCx57bCq1o8r43KhylEvnwtjA&_tp=eyJjb250ZXh0Ijp7ImZpcnN0UGFnZSI6ImhvbWUiLCJwYWdlIjoiX2RpcmVjdCJ9fQ

https://www.researchgate.net/publication/383499953_Download_C_SAC_2215_PDF_Dumps-Pass_with_Real_SAP_Systems_C_SAC_2215?_sg=-7jjROeiZl6l2T5VnHrSZkL6QDTXAPhyQHxim4kGM1uPx8L1R86P0vF_q4womZIcxjaV1H7oHX6d0DQBzBFcrK-GhdYsWNnlNjnUybR-.biQa6FnTw751Ita5PP23Pwnup2HPlSFYht87-gYD8TCD5mQHDoFpVBx-v_BAX_vAqTag9-LrnXfbbPcAJ6pjgQ&_tp=eyJjb250ZXh0Ijp7ImZpcnN0UGFnZSI6ImhvbWUiLCJwYWdlIjoiX2RpcmVjdCJ9fQ

https://www.researchgate.net/publication/383499888_Lesson_SAP_E_ACTCLD_23_Dumps_PDF-Pass_Your_Test_with_Real_E_ACTCLD_23_Exam_Dumps?_sg=0N9DPmlK-Br8bZwWyFmRncyCyc4X8RjXHwBzgz8rSd5HOT84N_TAcx7MxmpJDDs_3dbwlpKY58vvoiiUFR13P9ux9KQ9VQa198BFSKWj.eRyWvcLuv6cA_0s-9tOyt9q-8pH7lksnOBNDSvy_XOAbnO3NF-kKh8haQ1nJqewKS30rAK34L5t7VQUb_Pzx4g&_tp=eyJjb250ZXh0Ijp7ImZpcnN0UGFnZSI6ImhvbWUiLCJwYWdlIjoiX2RpcmVjdCJ9fQ

https://www.researchgate.net/publication/383499690_Certscloud_Release_Updated_SAP_C_TS413_2021_Dumps_With_Verified_Questions_And_Answers?_sg=vrmLYvqqGVm0dGQ1_jHTmlkgkTt09uo1eb2Pl-LaerhRqHLCr_O3T7cLmLT0fpy9Dl5FO3elRSp20kEYS1knjzIFuOD5W_mypOSEsDt9.Gh8ukXMg5wGxmDYZqJLMdhUn8_5axkm4p–Ab6FnR9uG152teLJNkcNwakGOkDypuPtv5xOOKDdXlkxI4Hcuiw&_tp=eyJjb250ZXh0Ijp7ImZpcnN0UGFnZSI6ImhvbWUiLCJwYWdlIjoiX2RpcmVjdCJ9fQ

applying a prioritization schema based on risk and reach. Some tools were jettisoned because the university already had other products or services that performed the same or similar functions and were less risky. Some were replaced with more trustworthy alternatives. A long-running research project was using a third-party tool that the TPRM group would not have approved but that was required by the agency that sponsored the research; for this tool, the IT staff implemented additional security controls to better protect the university. Even with such exceptions, though, and relatively cursory reviews for other products and services, Taylor could confidently say to the members of the university community that significant amounts of risk had been identified and either eliminated or minimized, with relatively minor impacts on users and programs that depended on third-party tools.

1. What Is It?

Third-party risk management (TPRM) refers to the activities and policies designed to identify, assess, and mitigate the potential risks from products and services provided by outside vendors, suppliers, contractors, or service providers. Higher education relies on a large—and seemingly always expanding—catalog of technology tools, any of which carries some risk to the institution and its constituents. Using third-party products and services can bring significant benefits, but institutions need to weigh those benefits against the costs when evaluating the risk from third parties. Managing the risks of applications developed in-house presents its own challenges, and that difficulty is multiplied for technology developed and maintained by a third-party provider, which might be a commercial vendor, a different higher education institution, or another type of entity.

TPRM involves understanding the potential risks external parties may pose to an organization’s operations, data security, reputation, and regulatory compliance. Those risks encompass areas including information security, data privacy, regulatory compliance, business continuity, basic functionality (ensuring technology products and services function as intended, without breaking anything else), accessibility, and ethical considerations. On the security front, any of the elements of the C-I-A triad (confidentiality, integrity, and availability) could be compromised by a third-party product. For some campuses, environmental, social, and governance (ESG) considerations need to be taken into account, and a third party might not satisfy those requirements. One common risk for cloud-based services is the potential for breach of confidential information. Similar risks may apply to on-premises software if the source code is stolen and attackers then use that to find vulnerabilities in the software. Such risks apply broadly across many vendors and could involve enterprise tools used across the institution or specialized software used in a single class or research project. This risk also includes integrations between cloud services such as Learning Tools Interoperability in a campus learning management system. Risks extend to student-led activities—for example, if a student group takes credit card payments for a fund-raising activity, that may incur risk for the institution (if cardholder data is breached), even though it’s “just students” using the technology.

2. How Does It Work?

Classic risk modeling multiplies the likelihood (odds) of an event by its impact (cost) to understand the economics of reducing risk. An institution can then propose various controls to reduce risk and weigh the cost of those controls versus the value of the reduced risk. For a given product, multiple types of risk might apply, and each of those risks can be assigned a score. The overall risk for the product or services can then be expressed as the highest score of all the applicable risks. For example, if the risk of service outage is low, and the risk of data breach is medium, then the overall risk is medium. Assessing these risks, however, can be complex. In the case of a learning management system, the impact of an outage during winter break is very different from the impact on the first day of final exams.

Part of the complexity of TPRM is maintaining an accurate inventory of the third parties and knowing every instance on a campus that uses each tool or service, as well as knowing whom to contact about a particular third party and who is responsible for the third-party tool if it’s used by multiple units on campus. Another aspect of TPRM is monitoring vendor health and the risk that a vendor might go out of business, end support a product, or significantly increase pricing, forcing an unexpected change. All of this work often requires more effort than many campuses are able or willing to devote, resulting in point-in-time evaluations that are less reliable than a comprehensive program. The procurement process might address risk through standard terms and conditions that apply across all vendors, not just technology vendors. One way vendors can offer assurance is by undergoing a SOC 2 Type II audit, in which a third party audits the effectiveness of the vendor’s security practices.