Why use the Vendor AssesmentToolkit?
Increasingly, hackers are targeting third-party vendors to gain unauthorized access to the sensitive data of higher education institutions or compromise networked systems to install ransomware.
The Vendor Selection Toolkit ensures that Teachers College is working with vendors who provide secure platforms, software, and systems.
This toolkit should be shared with vendors early in the selection process to ensure they can comply with TC’s terms.
This is just a first step. For all systems and software vendor acquisitions connect with TCIT.
The items described below are part of the Vendor Assesment Toolkit:
Master Service Agreement
A master service agreement (MSA) is a contract reached between parties in which the parties agree to the terms that will govern future transactions or future agreements. Many vendors have their own MSA, which can be used in place of this MSA with review and approval by the Office of General Counsel.
HECVAT
For Colleges and Universities— For Colleges and Universities—The HECVAT is a questionnaire framework specifically designed for higher education to measure vendor risk. Before purchasing a third-party solution, ask the solution provider to complete a HECVAT tool to confirm that information, data, and cybersecurity policies are in place to protect your sensitive institutional information and constituents' PII. Be sure to use the latest version of the HECVAT which includes ADA questions.
For Solution Providers—Complete the assessment tool and share it in the Cloud Broker Index. Once completed, multiple institutions can use your assessment to streamline procurement processes with your higher ed clients.
Non-Disclosure Agreement (NDA)
A non-disclosure agreement is a legally binding contract that establishes a confidential relationship. The parties signing the agreement agree that sensitive information they may obtain will not be made available to any others. An NDA may also be referred to as a confidentiality agreement.
Data Security Agreement
Data security or Information protection refers to the process of securing information over its entire life cycle from unauthorized access and data manipulation. Data protection requires data encryption, tokenization, and encryption activities that secure data across all networks and applications. In other words, it implies shielding digital data, such as those in a database, from disruptive forces and unauthorized users’ unwanted acts, such as cyber-attacks or data breaches. By signing the Data Security document, vendors agree to TC’s terms for protecting data.
Ransomware
Ransomware is a type of malware that threatens to publish the victim's personal data or perpetually block access to it unless a ransom is paid.