Vendor Risk Management Plan Procedure



This Vendor Risk Management Plan aims to establish a framework for effectively managing and mitigating risks associated with third-party vendors at Hudson County Community College. The procedure outlines the processes and procedures for vendor evaluation, selection, and ongoing monitoring to ensure vendor relationships' security, compliance, and reliability. The procedure primarily focuses on collecting and reviewing information about the vendor's suitability and security and assessing terms and conditions and contract language during initial contract signing and renewal.

  1. Vendor Selection Process
    1. Vendor Identification: Identify potential vendors based on the college's requirements and needs.
    2. Initial Vendor Evaluation: Evaluate potential vendors using the following criteria:
      1. Qualifications and expertise
      2. Reputation and references
      3. Financial stability
      4. Security and compliance standards
      5. Service level agreements
    3. Request for Proposal (RFP): Prepare and issue an RFP, if necessary, to shortlisted vendors outlining the college's expectations, requirements, and evaluation criteria.
    4. Vendor Evaluation: Evaluate vendor proposals based on predefined criteria and conduct any necessary interviews or presentations.
    5. Vendor Selection: Select the vendor(s) based on evaluation results, considering factors such as cost, capabilities, and risk profile.
  1. Higher Education Community Vendor Assessment Toolkit (HECVAT) Collection and Review
    1. HECVAT Form Requirement: All potential vendors must submit their completed HECVAT; SOC 2 audit findings may be substituted for a HECVAT.
    2. Initial Review: Review the HECVAT to assess the vendors' security practices, data protection measures, and compliance with relevant regulations.
    3. Risk Assessment: Conduct a risk assessment based on the information provided in the HECVAT to identify potential risks associated with the vendor relationship.
    4. Mitigation Actions: Develop mitigation actions to address identified risks, such as requesting additional information, conducting security audits, or establishing contractual obligations for security and privacy.
  2. Terms and Conditions Review
    1. Contract Review: Review the terms and conditions of the proposed vendor contract, focusing on areas related to data privacy, security, compliance, and intellectual property.
    2. Legal Review: Engage legal counsel, if necessary, to ensure contract language adequately protects the college's interests and aligns with applicable laws and regulations.
    3. Negotiation and Amendment: Collaborate with the vendor to negotiate and amend contract language to address any identified concerns or gaps.
    4. Approval and Signing: Obtain necessary approvals for the contract and sign the agreement once all parties are satisfied with the terms and conditions.
  3. Ongoing Vendor Management
    1. Regular Monitoring: Continuously monitor vendor performance, security practices, and compliance throughout the contract duration.
    2. Contract Renewal Review: Contract Renewals are contingent upon Community College Contract Law Statutes. Conduct a thorough review of vendor relationships, including re-evaluation of new HECVAT, terms and conditions, and contract language, during the contract renewal process.
    3. Vendor Performance Evaluation: Periodically assess vendor performance against established service level agreements and expectations.
    4. Incident Response: Follow the Incident Response procedure to address any security breaches or data incidents involving vendors promptly.
    5. Vendor Offboarding: Develop a process to ensure proper offboarding of vendors, including returning sensitive information and terminating system access.
  4. Documentation and Reporting
    1. Documentation
      1. Contract Repository: All vendor contracts, including their terms and conditions, amendments, and related documents, should be stored in the college's contract management system. Ensure that the contract repository is organized, easily accessible, and regularly updated.
      2. Completed HECVAT and Security Documentation: Maintain a record of all HECVATs and security audits received from vendors, including any supporting documentation or clarifications provided by the vendors.
      3. Risk Assessments: Document the results of risk assessments conducted based on the HECVAT and any additional assessments or audits performed.
      4. Incident Reports: Keep a record of any security incidents or breaches involving vendors, along with the corresponding incident response actions taken.
    2. Reporting
      1. Executive Reporting: Provide regular reports to executive management, including the Chief Information Officer (CIO) and Cabinet, summarizing the vendor risk landscape, mitigation efforts, and notable incidents or concerns.
      2. Contract Renewal Report: Prepare a comprehensive report highlighting the findings from the contract renewal review, including any recommended changes or enhancements to vendor relationships.
      3. Compliance Reporting: Generate periodic reports on vendors' compliance with applicable regulations, contractual obligations, and agreed-upon security standards.
    3. Record Retention
      1. Retention Period: Vendor Risk Assessment documentation will follow record retention schedules for vendor-related documentation, ensuring compliance with legal, regulatory, and internal requirements.
      2. Data Privacy and Protection: Adhere to applicable data privacy and protection regulations when storing and handling vendor-related documents, ensuring proper safeguards are in place.

Approved by Cabinet: May 2023
Related Board Policy: Information Technology Services

Return to Policies and Procedures