Engaging with the R&E Cloud Community to Minimize Vendor Risk

Estimated reading time: 4 minutes

Internet2 NET+ to Launch Third-Party Vendor Risk Management Working Group and Service Evaluation

Internet2 has been engaging with different parts of the research and higher education (R&E) community on vendor risk management. For example, the NET+ BPLAC Working Group on Vendor Management developed a R&E Community Framework for IT Vendor Management that they presented at EDUCAUSE Annual.

The NET+ BPLAC Working Group on Vendor management is also conducting a survey to understand the current state of expertise and collaboration at institutions, which will inform them on next steps with the framework. Josh Callahan, Kyle Shachmut, Eudora Struble, and I did a presentation at EDUCAUSE Annual on Vendor Risk Assessment for Security and Accessibility on managing vendor risk across a campus. It’s clear that this is a hot topic in the community and a pressing risk for you and your peers to address!

On behalf of the community, the Internet2 NET+ Program is excited to share next steps to drive additional community activities around vendor risk management. We are  launching a working group on third-party risk management. We plan to convene the working group a few times before the end of the year starting on November 27 at 2 p.m. ET/11 a.m. PT to share how campuses are currently managing vendors or third parties, develop common use cases, and identify community requirements for a third-party risk management service. Please register to receive the call-in details and meeting invite.

We will use the output of those calls, along with additional data gathering of community requirements, to draft an RFP/RFI to send to third-party risk management services in early 2024 with the goal of kicking off a NET+ service evaluation with a finalist or finalists shortly thereafter. If you would like to be included in this effort, but can’t make the call, we can schedule a time to meet individually. We want people from the different groups on your campus to be included in this work, so we can have their input to ensure that a future NET+ service could meet their requirements. Please invite other interested parties on your campus to this call. We’ve also set up an email list for collaboration on this work. You can subscribe to the list to be included in the work, get announcements, etc.

How We Identified the Need for a Working Group on Third-Party Risk Management

One of the challenges in these discussions about vendor risk management has been that every area of expertise has its own lexicon, which sometimes makes it difficult for different parts of a campus or community to communicate. Sometimes we even use the same term but mean different things. Campus information security teams might think about third-party risk management when procurement might think about vendor management. Campus legal might just think about vendors or third-party risk when working on contracts. IT accessibility teams think about which computers or services a person might use to make sure resources are accessible for their community. Privacy teams think about with whom sensitive data is going to be shared. And so on. 

For this work, we’re going to use the term third-party risk management (TPRM) since the term TPRM is more inclusive of the external organizations with which a campus engages, which could include organizations like the National Student Clearinghouse, traditional vendors, vendors of your vendors (fourth parties), and free services, etc. All of these different external organizations are part of managing this risk for your campus. Part of the challenge for campuses is how to scale current activities to manage hundreds or thousands of third-parties, create an inventory, and have a repeatable process to meet rapidly changing requirements.

We’re also having discussions with EDUCAUSE about community resources around vendor management in alignment with the organization’s newly released strategic plan, with the REN-ISAC, and with the HECVAT team on future planning. 

We hope to see you on the working group calls and please reach out if you have any questions, feedback, or want to be included.

ICYMI

• Manage Risk, Maximize Opportunity: Internet2 NET+ Coordinates Effort to Evaluate Vendor Risk Management Services for Cloud