Vendor Risk Management

The university community increasingly seeks systems, services, and capabilities that are hosted externally, which typically means that the associated data is stored outside of UConn. To better protect the institution and our community, the ITS Security Office created a Risk Management Policy and process to verify that external entities meet appropriate data protection standards.

ITS is added to the workflow when a university customer initiates a HuskyBuy purchase from a cloud vendor, but we are happy to engage earlier than this.  We collaborate with all parties to understand what information is being shared and assess the vendor’s security processes and procedures.  ITS shares any identified risks or concerns with the requestor and works with procurement to identify suitable terms and conditions to protect the institution and meet applicable regulatory obligations.  This due diligence review can be quick, but it also has the potential to be lengthy, and we encourage the community to use existing university-provided software, which likely already contains the appropriate contract language.

We ask that you share this information with anyone in your area that may be purchasing cloud-hosted services and encourage them to contact the ITS Security Office at for additional information.