Jan 11 2024

4 Tips for Third-Party Risk Management in Higher Ed

Outsourcing requires managing risk where institutions may have little control.

Outsourcing has been a near-universal strategy for IT teams in every industry, and higher education is no exception. From cloud-based data centers to outsourced call centers, these solutions allow teams to focus on supporting education and leave nonstrategic IT tasks to specialists.

Though outsourcing can save your institution money and deliver better service to your users, it also means that players outside of your institution will be handling sensitive data and connecting to your network, making them a part of your security and risk management program.

Dealing with this responsibility means considering the risk that third parties pose. Third-party risk management shares some aspects of traditional risk management but also requires managing risk where you may have little control. Here are four ways you can strengthen your TPRM.

Click the banner below to learn how to optimize your university’s device management program.

1. Create and Maintain an Inventory of Partners

Before you can manage third-party risks, you must identify those that present a risk of data breach, compliance failure, unauthorized disclosure or system failure. If IT is managing the relationship, it’s easier. However, the presence of shadow IT requires you to cast a wider net. Your purchasing department can be a key ally here because most third parties are being paid. On-premises Internet of Things devices and supplied software — even if it’s open-source — must be included.

2. Treat TPRM as an Ongoing Relationship

Stay connected with your major partners to understand what’s changing on their end and how their own security and risk management programs are evolving. Identify the third parties that present the biggest potential exposure, and focus on those vendors. Keep channels open, schedule annual workshops to learn what’s new, and make sure that you complete the most important projects first.

3. Holistically Integrate TPRM into Your Security Strategy

The term “holistic” means to deal with a whole or an integrated system — not with its parts individually. A holistic approach treats TPRM as just another flavor of risk management and doesn’t consider third parties a special case. They need to be fully part of your risk management evaluation, reporting and mitigation plans.

RELATED: Stay one step ahead of cyber threats with a cybersecurity risk assessment.

4. Be Proactive with Monitoring, Analytics and Escalation

TPRM monitoring requires ingenuity, exploration and even some experimentation as you discover what is available, then integrate it into existing risk management elements, such as your security information and event management system. Be discerning in what you use. Third parties often overwhelm with useless information, making it hard to dig out the valuable nuggets.

Yaroslav Danylchenko/Stocksy

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT