Third-Party Risk Management in Higher Ed | A Discussion with Information Security and Procurement Professionals

Cybersecurity threats are constantly evolving, making a robust third-party risk management program crucial for organizations to enhance their data security. To support community colleges in their cybersecurity efforts, Stephen Heath, Executive Consultant of Information Security at the California Community College Chancellor’s Office (CCCC), and April Marin, Executive Director of Contract, Procurement, and Risk Management Services at Santa Clarita Community College District (SCCCD), co-presented an online webinar to discuss the topic. Their presentation focused on the significance of risk mitigation and the effective implementation of best practice frameworks within community college settings.

Heath started the discussion by providing a definitional framework for third-party risk management and emphasizing the significance of assessing the services provided by vendors. This assessment is vital for minimizing financial, operational, and reputational risks faced by colleges. He also emphasized the need for proactive measures to monitor vendors and establish clear mitigation clauses in contracts to assess risk factors. Heath highlighted useful tools such as SOC2 (an evaluation of a vendor’s security controls by an accounting firm) and HECVAT (an assessment form for measuring vendor risk in higher education institutions) for district professionals to implement oversight.

During the latter part of the webinar, Marin expanded on Heath’s insights regarding risk. She emphasized important contract clauses that should be included to ensure a clear understanding between companies and colleges regarding factors such as the definition, use, protection, and return of confidential data, as well as liability for information breaches. Marin presented SCCCD as a case study, discussing the development of their technology procurement process and practical implementation of the strategies Heath discussed. Through a collaborative effort between purchasing and IT professionals, SCCCD gathers information, assesses risk factors, and approves purchases.  She shared both successes and challenges encountered during this process over a span of 5+ years, highlighting the importance of defined responsibilities between IT and purchasing in maintaining an efficient workflow. This was further supported by sub-teams, including an accessibility team, data security team, and contract team, each serving a specific function within the overall structure. To facilitate effective communication and address project updates and concerns, Marin implemented weekly meetings. Furthermore, she stressed the importance of maintaining a software inventory tracking log to ensure that all team members are well-informed about the assessment and contracting process, contributing to an overall efficient technology purchasing process.

We extend our appreciation to Heath and Marin for their commitment to safeguarding student, staff, and faculty information. We are grateful for their valuable contribution and for devoting their time to discussing this crucial topic. If you have any questions, please feel free to contact Stephen Heath at sheath@cccco.edu or April Marin at april.marin@canyons.edu.