Already 2023 is shaping up to be an expensive year for data breaches. The NBA, Air France, Nissan, Atlassian, AT&T, and the University of Colorado Hospital Authority have all suffered data leaks. But a common factor in these breaches is that their own systems weren’t at fault. Rather, the services of third party service providers that are employed by most organizations to manage specialized or redundant business processes suffered from security vulnerabilities that allowed the loss of sensitive data. These incidents will have financial, regulatory, and reputational consequences. For UD, third parties are indispensable to our mission—they can be as complex as a medical record system or as straightforward as renting commercial space.
So how does UD work to minimize third party risk? Our primary method is through the Technology Request process that was implemented over the last three years (and that you might be familiar with already). Any request to purchase or renew technology products and services are reviewed to verify the nature of the data involved and collect information needed about the solution including product security documentation, validation of funding, and review of contract terms. The final purchase is handled by UD Purchasing at the completion of the Tech Request review process.
By reviewing these factors for any technology purchase, we are working to ensure that our data is secure, our personal privacy is protected, and our systems cannot be exploited by bad actors.
Third Party Risk Management does not stop with the purchase of a solution; depending on the sensitivity of the data involved, we may request periodic updates to vendor information to ensure the continued protection of UD data. Finally, we may be involved with requesting the return of UD data at the end of a contract. Thus, Third Party Risk management is involved at each step of the way in our partnerships with other entities.
To learn more about the Tech Request process, explore here.