Third Party Service Risk Assessment

Objectives of the Third Party Service Risk Analysis:

In the event of employing a third party service or utilizing infrastructure off campus the following proceedure will:

  • Provide you with a better understanding of risks and liabilities associated with using a new software solution or off campus infrastructure service, and your responsibilities with respect to its implementation as it applies to risk management and information security.
  • Maintain the security of Western’s data based on Western's Data Classification Standard.
  • Offer you advice and assistance as appropriate.

 This website contains information about IT, procurement, financial, privacy, legal and University policy issues when dealing with cloud based software.  Recommendations are for informational purposes only and may not reflect the most current developments.  These informational materials are not intended, and should not be taken, as legal advice on any particular set of facts or circumstances.  You should contact the relevant departments identified throughout this site for assistance on your specific set of circumstances.

Tier I - Preliminary Analysis

When individuals at the unit level are interested in implementing or using software, they should refer to a ‘Cloud Service web page’ that identifies conditions where they must seek advice if any of the conditions are true. The conditions include sensitive information, integration with or use of Western’s information systems, acceptance of payments, purchase > $10,000, or the signing of a contract. These are thought of as Tier 1 questions.

If none of the conditions are true, then the individual may proceed with the software implementation.

Tier II - Detailed Analysis

If one or more of the Tier I conditions are true, then the individual proceeds to the next level (Tier II), where there are more questions and reference material to identify Western’s policies and guidelines. In addition, there is contact information where advice related to a particular area can be found. The questions are intended to provide the individual with the issues that each area addresses in their review of the software.

When the relevant issues have been addressed, the software may be implemented.

A Technology Risk Assessment Tool is available to assist you with completing your risk assessment.

Published on  and maintained in Cascade CMS.