Third party security assessment

Guidance on third party security assessments

Information Security team

The Information Security team will support your division, department, or faculty, to identify and mitigate risks associated with using third-party services and suppliers who process University data. Whether it’s a new or existing relationship, the outcome of an assessment will better prepare you to make the right decisions about how to manage your suppliers’ risks. 

 

What we offer

The Third-Party Security Assessment (TPSA) is a due diligence activity to gain a level of assurance with the overall security and risk posture of our suppliers. 

It should be treated as part of the procurement process or carried out with existing suppliers. It involves sending the supplier a list of security-related questions about their control environment and articulating the key risks that could be exposed by the use of supplier systems.

Benefits for you

  • Compliance with legal and policy requirements  

  • Gain active assurance that suppliers meet industry standards for security  

  • Make managers more aware of the supplier risks to your data  

  • Standardised assessment methods ensure a consistent approach to measuring supplier risk  

  • Enable informed decision making when selecting new suppliers  

How it works

The service is available to all parts of the collegiate university. The service includes: 

  • Assistance with determining the level of risk based on the nature and volume of the data involved  
  • Assessing the security controls and contractual arrangements of the supplier to determine if they are fit for purpose  
  • Providing advice, assistance and support when dealing with supplier queries and negotiations  
  • Making recommendations to help you decide whether the supplier’s security is sufficiently mature for the data that it will process. 

What you need to do

Before requesting a Third-Party Security Assessment (TPSA), review our Working with Third Parties guidance. 

All TPSAs are managed through the University's SureCloud platform. 

I want to...

 

About SureCloud 

SureCloud is the University's Governance, Risk, and Compliance (GRC) platform. It supports a range of information security, data protection, and risk management processes across the University. To find out more about the project, please go to SureCloud platform on OxIntranet. 

As part of the phased rollout, SureCloud is used to manage Third-Party Security Assessments (TPSAs), providing a more consistent and secure process for requesting, reviewing, and managing assessments. 

If you are involved in completing, reviewing, or supporting TPSAs, you may need access to SureCloud. 

You can email surecloud@admin.ox.ac.uk if you require the relevant access to complete a TPSA for a supplier you’re considering. 

Please note that Firefox is not currently a recommended browser for SureCloud. For the best experience, use Microsoft Edge or Google Chrome.