Third party security assessment

Guidance on third party security assessments

Information Security team

The Information Security team can support your division, department, or faculty, to identify and mitigate risks associated with using third-party services and suppliers who process University data. Whether it’s a new or existing relationship, the outcome of an assessment will better prepare you to make the right decisions about how to manage your suppliers’ risks. 

 

What we offer

The Third-Party Security Assessment (TPSA) is a due diligence activity to gain a level of assurance with the overall security and risk posture of our suppliers. 

It can be treated as part of the procurement process or carried out with existing suppliers. It involves sending the supplier a list of security-related questions about their control environment and articulating the key risks that could be exposed by the use of supplier systems.

Benefits for you

  • Gain active assurance that suppliers meet industry standards for security  

  • Make managers more aware of the supplier risks to your data  

  • Standardised assessment methods ensure a consistent approach to measuring supplier risk  

  • Compliance with legal and policy requirements  

  • Enable informed decision making when selecting new suppliers  

How it works

The service is available to all parts of the collegiate university. The service includes: 

  • Assistance with determining the level of risk based on the nature and volume of the data involved  

  • Assessing the security controls and contractual arrangements of the supplier to determine if they are fit for purpose  

  • Providing advice, assistance and support when dealing with supplier queries and negotiations  

  • Making recommendations to help you decide whether the supplier’s security is sufficiently mature for the data that it’ll process. 

What you need to do

Firstly, take a look at our Working with third parties page for further guidance.

Requesting a TPSA through SureCloud 

Third Party Security Assessments are now managed through SureCloud. All new TPSA requests must be submitted via the SureCloud platform. 

The University is introducing SureCloud, a new Governance, Risk, and Compliance (GRC) platform that will support a range of information security, data protection, and risk management processes across the University. 

As part of the phased rollout, SureCloud will be used to manage Third Party Security Assessments (TPSAs). This introduces a more consistent and secure process for requesting, reviewing and managing assessments. 

If you are involved in completing, reviewing, or supporting TPSAs, you may be asked to access SureCloud as part of the rollout.  

You can email grc@infosec.ox.ac.uk if you require the relevant access to complete a TPSA for a supplier you’re considering. 

Access SureCloud through this link: https://universityofoxford.surecloud.io/ 

Access is role-based and aligned to your involvement in the TPSA process. During the assessment process, you will receive system-generated email notifications from notifications@surecloud.io

Please note that Firefox is not currently a recommended browser for SureCloud. For the best experience, use Microsoft Edge or Google Chrome. 

To request a TPSA, follow the guidance on this page and submit your request through SureCloud. If you need assistance accessing a TPSA in SureCloud, or need your role permissions configured, contact grc@infosec.ox.ac.uk