For a better experience, click the Compatibility Mode icon above to turn off Compatibility Mode, which is only for viewing older websites.

Third Party Risk Management


Third Party Risk Management (TPRM) program, governed by Information Security Office, is an initiative to reduce the risk to Institutional data and computing resources from outside parties and service providers. Information Security Office collaborates with Privacy, Office of General Counsel and Operations Departments to protect computing resources and digital intellectual property at the University. Drexel University relies on outside third-party service providers and cloud-based vendors for providing various services where service providers process or hold Institutional Data. Though Drexel University is committed to protect its data resources, it must ensure that third party service providers have appropriate controls to minimize the risk of data breach from unauthorized access or data loss.


Per INFORMATION SECURITY REQUIREMENTS FOR INSTITUTIONAL INFORMATION HELD BY THIRD PARTIES all university departments engaging third-party service providers for any computing services for storing, processing, or transmitting of Institutional data are required to contact Information Security Office at to begin the security assessment. The process begins with the requester completing an initial "Vendor Information Gathering" form providing details about the services provided by the vendor. The Information Security Office (ISO) reviews the form and determines if a comprehensive security assessment will be required.

A comprehensive security assessment involves the vendor completing a security questionnaire, known as the Higher Education Community Vendor Assessment Toolkit, or HECVAT. This is the standard questionnaire used by higher education institutions to measure vendor risk and understand what security controls are in place to protect the Institutional data. To learn more about the HECVAT questionnaire, please visit the HECVAT page. To see if a solution provider has completed a HECVAT, please visit the HECVAT Community Broker Index.

In the final step, Information Security Office (ISO) highlights the level of risk from the vendor by providing a "risk rating" and summarizing risk findings with security recommendations in a formal Vendor Risk Assessment report.


The security assessment process takes about 1-4 weeks.

Week 1 Information Security will review the initial assessment form to determine if a comprehensive assessment is required.
Week 2-3 For low risk engagements, Information Security will complete the assessment and send it to Compliance and Privacy for review.
Week 4 For medium and high risk engagements, the vendor will be asked to complete a detailed questionnaire and return it to Information Security for review. Information Security will complete its assessments and send it to Compliance and Privacy for review.

Note: The comprehensive assessment timeline is completely depended on the time it takes to complete the detailed questionnaire and how quickly the vendor responds to follow-up questions and inquiries.

Minimum Security Requirements

Drexel University Information Security Office has developed a security checklist for third-party software and vendors. For more information, please visit our Minimum Viable Secure Product webpage.

Contact Us

For questions regarding the form and security assessments, please contact Information Security at