This Vendor Risk Management Plan aims to establish a framework for effectively managing
and mitigating risks associated with third-party vendors at Hudson County Community
College. The procedure outlines the processes and procedures for vendor evaluation,
selection, and ongoing monitoring to ensure vendor relationships' security, compliance,
and reliability. The procedure primarily focuses on collecting and reviewing information
about the vendor's suitability and security and assessing terms and conditions and
contract language during initial contract signing and renewal.
- Vendor Selection Process
- Vendor Identification: Identify potential vendors based on the college's requirements
- Initial Vendor Evaluation: Evaluate potential vendors using the following criteria:
- Qualifications and expertise
- Reputation and references
- Financial stability
- Security and compliance standards
- Service level agreements
- Request for Proposal (RFP): Prepare and issue an RFP, if necessary, to shortlisted
vendors outlining the college's expectations, requirements, and evaluation criteria.
- Vendor Evaluation: Evaluate vendor proposals based on predefined criteria and conduct
any necessary interviews or presentations.
- Vendor Selection: Select the vendor(s) based on evaluation results, considering factors
such as cost, capabilities, and risk profile.
- Higher Education Community Vendor Assessment Toolkit (HECVAT) Collection and Review
- HECVAT Form Requirement: All potential vendors must submit their completed HECVAT;
SOC 2 audit findings may be substituted for a HECVAT.
- Initial Review: Review the HECVAT to assess the vendors' security practices, data
protection measures, and compliance with relevant regulations.
- Risk Assessment: Conduct a risk assessment based on the information provided in the
HECVAT to identify potential risks associated with the vendor relationship.
- Mitigation Actions: Develop mitigation actions to address identified risks, such as
requesting additional information, conducting security audits, or establishing contractual
obligations for security and privacy.
- Terms and Conditions Review
- Contract Review: Review the terms and conditions of the proposed vendor contract,
focusing on areas related to data privacy, security, compliance, and intellectual
- Legal Review: Engage legal counsel, if necessary, to ensure contract language adequately
protects the college's interests and aligns with applicable laws and regulations.
- Negotiation and Amendment: Collaborate with the vendor to negotiate and amend contract
language to address any identified concerns or gaps.
- Approval and Signing: Obtain necessary approvals for the contract and sign the agreement
once all parties are satisfied with the terms and conditions.
- Ongoing Vendor Management
- Regular Monitoring: Continuously monitor vendor performance, security practices, and
compliance throughout the contract duration.
- Contract Renewal Review: Contract Renewals are contingent upon Community College Contract
Law Statutes. Conduct a thorough review of vendor relationships, including re-evaluation
of new HECVAT, terms and conditions, and contract language, during the contract renewal
- Vendor Performance Evaluation: Periodically assess vendor performance against established
service level agreements and expectations.
- Incident Response: Follow the Incident Response procedure to address any security
breaches or data incidents involving vendors promptly.
- Vendor Offboarding: Develop a process to ensure proper offboarding of vendors, including
returning sensitive information and terminating system access.
- Documentation and Reporting
- Contract Repository: All vendor contracts, including their terms and conditions, amendments,
and related documents, should be stored in the college's contract management system.
Ensure that the contract repository is organized, easily accessible, and regularly
- Completed HECVAT and Security Documentation: Maintain a record of all HECVATs and
security audits received from vendors, including any supporting documentation or clarifications
provided by the vendors.
- Risk Assessments: Document the results of risk assessments conducted based on the
HECVAT and any additional assessments or audits performed.
- Incident Reports: Keep a record of any security incidents or breaches involving vendors,
along with the corresponding incident response actions taken.
- Executive Reporting: Provide regular reports to executive management, including the
Chief Information Officer (CIO) and Cabinet, summarizing the vendor risk landscape,
mitigation efforts, and notable incidents or concerns.
- Contract Renewal Report: Prepare a comprehensive report highlighting the findings
from the contract renewal review, including any recommended changes or enhancements
to vendor relationships.
- Compliance Reporting: Generate periodic reports on vendors' compliance with applicable
regulations, contractual obligations, and agreed-upon security standards.
- Record Retention
- Retention Period: Vendor Risk Assessment documentation will follow record retention
schedules for vendor-related documentation, ensuring compliance with legal, regulatory,
and internal requirements.
- Data Privacy and Protection: Adhere to applicable data privacy and protection regulations
when storing and handling vendor-related documents, ensuring proper safeguards are
Approved by Cabinet: May 2023
Related Board Policy: Information Technology Services
Return to Policies and Procedures