Colleges and universities implement countless third-party products and services, any of which could pose risks to the institution, its data, and its constituents.
Scenario
When one of the university's service providers suffered a data breach that exposed health information for several thousand students, Taylor saw an opportunity to make lemonade from an unfortunate circumstance. From his position in the institution's IT department, Taylor had long advocated for a strong, formal program to evaluate the risks posed by third-party providers. His appeals had gone largely unheeded, though, caught between resistance from senior leaders about the cost for such a program and opposition from faculty—and sometimes students—who were loath to forgo certain technology tools and services if the service provider couldn't pass a risk assessment. And yet when word of the breach got out, the students were angry and the administration wanted answers.
In this case, the student health center had implemented a third-party application that allowed students to submit family medical histories and information about their own health and stress levels to a service that triangulated those data with grades and other university-provided measures of engagement. The service would then provide students with weekly personalized recommendations about lifestyle practices that could improve their physical and mental health. Only students who opted in to the program were included, and the data were confidential…until the breach.
Seeing firsthand the consequences of insufficient attention to third-party risk management (TPRM), the campus community was suddenly on board. Taylor was charged with establishing TPRM policy, processes, and standards, and he assembled a small group from various units across campus, including legal counsel, regulatory compliance, IT, and the faculty senate. They began the arduous process of developing a full inventory of third-party products and their uses. What quickly became clear was that there were too many third-party products and services already deployed and too many more in the queue to perform an exhaustive review of each one. The group established guidelines for reviewing existing and new tools, applying a prioritization schema based on risk and reach. Some tools were jettisoned because the university already had other products or services that performed the same or similar functions and were less risky. Some were replaced with more trustworthy alternatives. A long-running research project was using a third-party tool that the TPRM group would not have approved but that was required by the agency that sponsored the research; for this tool, the IT staff implemented additional security controls to better protect the university. Even with such exceptions, though, and relatively cursory reviews for other products and services, Taylor could confidently say to the members of the university community that significant amounts of risk had been identified and either eliminated or minimized, with relatively minor impacts on users and programs that depended on third-party tools.
1. What Is It?
Third-party risk management (TPRM) refers to the activities and policies designed to identify, assess, and mitigate the potential risks from products and services provided by outside vendors, suppliers, contractors, or service providers. Higher education relies on a large—and seemingly always expanding—catalog of technology tools, any of which carries some risk to the institution and its constituents. Using third-party products and services can bring significant benefits, but institutions need to weigh those benefits against the costs when evaluating the risk from third parties. Managing the risks of applications developed in-house presents its own challenges, and that difficulty is multiplied for technology developed and maintained by a third-party provider, which might be a commercial vendor, a different higher education institution, or another type of entity.
TPRM involves understanding the potential risks external parties may pose to an organization's operations, data security, reputation, and regulatory compliance. Those risks encompass areas including information security, data privacy, regulatory compliance, business continuity, basic functionality (ensuring technology products and services function as intended, without breaking anything else), accessibility, and ethical considerations. On the security front, any of the elements of the C-I-A triad (confidentiality, integrity, and availability) could be compromised by a third-party product. For some campuses, environmental, social, and governance (ESG) considerations need to be taken into account, and a third party might not satisfy those requirements. One common risk for cloud-based services is the potential for breach of confidential information. Similar risks may apply to on-premises software if the source code is stolen and attackers then use that to find vulnerabilities in the software. Such risks apply broadly across many vendors and could involve enterprise tools used across the institution or specialized software used in a single class or research project. This risk also includes integrations between cloud services such as Learning Tools Interoperability in a campus learning management system. Risks extend to student-led activities—for example, if a student group takes credit card payments for a fund-raising activity, that may incur risk for the institution (if cardholder data is breached), even though it's "just students" using the technology.
2. How Does It Work?
Classic risk modeling multiplies the likelihood (odds) of an event by its impact (cost) to understand the economics of reducing risk. An institution can then propose various controls to reduce risk and weigh the cost of those controls versus the value of the reduced risk. For a given product, multiple types of risk might apply, and each of those risks can be assigned a score. The overall risk for the product or services can then be expressed as the highest score of all the applicable risks. For example, if the risk of service outage is low, and the risk of data breach is medium, then the overall risk is medium. Assessing these risks, however, can be complex. In the case of a learning management system, the impact of an outage during winter break is very different from the impact on the first day of final exams.
Part of the complexity of TPRM is maintaining an accurate inventory of the third parties and knowing every instance on a campus that uses each tool or service, as well as knowing whom to contact about a particular third party and who is responsible for the third-party tool if it's used by multiple units on campus. Another aspect of TPRM is monitoring vendor health and the risk that a vendor might go out of business, end support a product, or significantly increase pricing, forcing an unexpected change. All of this work often requires more effort than many campuses are able or willing to devote, resulting in point-in-time evaluations that are less reliable than a comprehensive program. The procurement process might address risk through standard terms and conditions that apply across all vendors, not just technology vendors. One way vendors can offer assurance is by undergoing a SOC 2 Type II audit, in which a third party audits the effectiveness of the vendor's security practices.
3. Who's Doing It?
Most colleges and universities have some kind of TPRM program, often reporting to the procurement department or information security. But the structures of TPRM programs across higher education are highly variable, and programs range from very informal to highly structured approaches with significant resources. Responsibilities might be shared across multiple departments including legal, IT, and purchasing, and the primary function might reside in any of these areas. TPRM sometimes happens in a highly distributed manner, but collaboration is key to a successful program. Executive sponsorship and buy-in are key to a successful risk management program. Doing TPRM well is a resource-intensive undertaking, and some consulting companies, virtual CISOs, marketplaces, and other entities will evaluate products and services and provide an independent risk score for vendors (similar to a credit score). These companies may also provide ongoing monitoring and real-time alerts if a vendor experiences a breach or other change in their risk rating. The HECVAT can also be used as a tool to gather relevant information for assessing a vendor's risk.
4. Why Is It Significant?
TPRM aims to proactively address third-party risks and vulnerabilities by implementing strategies and controls to protect the organization's assets, data, and reputation. Another concern is the accessibility of third-party technology, which involves not only the risk of a complaint from the Office of Civil Rights but, more immediately, the risk that the lack of accessibility will prevent a student from being able to use technology to complete a task. High-profile and damaging cybersecurity incidents involving third parties have affected higher education and have drawn attention to how campuses are managing third-party products. Besides the practical benefits of using risk management to protect the institution from financial and other types of harm, higher education institutions might be legally required to implement TPRM. For financial data, the FTC's Safeguards Rule requires covered entities to "develop, implement, and maintain an information security program with administrative, technical, and physical safeguards designed to protect customer information," and this extends to third-party applications. The Department of Education maintains its own rules for protected data. TPRM can be a requirement for funding agencies—research sponsors often ask a lot of questions about risks and how they are assessed and managed.
5. What Are the Downsides?
Managing third-party risks adds another layer of complexity to an organization's operations, resulting in increased administrative tasks and workload for the organization's risk management team. A proper risk assessment can increase the time required for procurement, and if the process is perceived to be burdensome, those who request third-party tools might circumvent it. Implementing an effective TPRM program will likely require investing in dedicated resources, including personnel and tools, to assess, monitor, and mitigate risks across multiple vendors. These costs can be significant, especially for organizations with numerous third-party relationships. Low-risk services should not have the same resources devoted to them as a high-risk service, but assigning a quantitative value to technology risk is more art than science. Balancing the cost of risk management with the potential risks can be challenging. TPRM is different from creating actuarial tables for auto insurance, for example, where numbers vary incrementally from year to year. Technology changes at a far more rapid pace, and the change is both qualitative and quantitative. How would insurers calculate risk if automakers started making flying cars tomorrow?
6. Where Is It Going?
The TPRM landscape will continue to increase in complexity. The more resources an institution devotes to this area, the easier it can be to move along the spectrum of maturity, and triage and prioritization can help determine where resources should be applied. Many vended products are available to help institutions automate parts of the risk assessment process. As more vended products and services become available to help assess and manage third-party risks, institutional leaders will need to think carefully about what expertise and capabilities they want to have in-house versus purchasing as a service. Lower-risk third-party tools might be candidates for automation, while other tools would receive greater hands-on scrutiny. As vendors increase the capabilities of their services, institutional staff will focus more on maximizing the benefit that the institution derives from the service. Some campuses are developing inventories that only allow products from approved third parties and, where possible, limiting the number of third-party products that perform the same function. In some cases, institutional leaders are examining fourth-party risk (also known as "nth-party risk") to see if the campus's third parties have their own third-party risk management programs.
7. What Are the Implications for Higher Education?
From the standpoint of risk management, higher education differs from business and government in a few important ways. First, higher education covers many subject areas for teaching and research that are managed in a distributed environment where decisions are made throughout campuses, which leads to a need for many different kinds of technologies tailored to particular needs. By contrast, a bank or restaurant would need a much smaller portfolio of centralized technologies and therefore would be assessing a much smaller number of vendors and products. Second, higher education promotes a culture of freedom to pursue individual and varied ideas, and a risk management program that is too restrictive can stifle creativity and discovery. A TPRM program must be tailored so that the cure isn't worse than the disease and that all institutional stakeholders understand how the program provides value. Lastly, due to the variety of activities conducted in higher education, many more regulations might apply to a college or university than to another type of business. FERPA applies, and if an institution has a healthcare function, HIPAA comes into play. Accepting payments via credit card brings in PCI DSS. If you have students or research subjects from Europe, GDPR needs to be addressed. An institution with campuses in multiple countries will need to assess risk against all applicable legal requirements. Similar complexity arises when an institution engages in research activities such as those that involve foreign partners or sponsors. By effectively managing third-party risks, organizations can enhance their resilience, maintain compliance with regulations, and safeguard their operations from potential disruptions or security breaches caused by external parties.
Contributors
Kirk Corey is Director of Policy and Privacy, Information Security and Policy Office at the University of Iowa.
Nick Lewis is Program Manager, Security and Identity, at Internet2.
© 2024 EDUCAUSE. The content of this work is licensed under a Creative Commons BY-NC-ND 4.0 International License.