/
Vendor Assessment Policy

Vendor Assessment Policy

Statement and Purpose

Table of Contents

Effectively managing the risk associated with third parties is critically important for securing University operations, information assets and protecting constituent data. No software or services contract that includes network access, information technology, or use of Institutional Data may be entered into by a university employee without prior approval/review by the Chief Information Officer (CIO) and the VP for Business and Finance, or their designate. All new vendors with Software-as-a-Service (SaaS) must conform to the requirements in the Cloud Computing Policy.  Any vendor engagement requiring a contract must also follow the University's Contract Review Policy.

Certain terms in this policy are defined at the end of the policy.

Entities Affected By This Policy

This policy applies to all departments, employees, and contractors involved in the vendor assessment, selection, and contract management process at Seattle Pacific University.

Reason for Policy

This policy is established to ensure that Seattle Pacific University systematically evaluates, selects, and manages vendors to meet business objectives, mitigate risks, and comply with applicable laws and regulations. Policy is established to ensure that Seattle Pacific University reduces risk and adheres to the standards and regulations set forth by the Higher Education Community Vendor Assessment Toolkit (HECVAT), NIST 800-171 Systems and Services Acquisition (SA-1), and the Gramm-Leach-Bliley Act (GLBA)

 

Policy Version: 1.0 

Responsible Office: Office of Business and Finance
Responsible Executive:  VP for Business and Finance

Effective Date: October 1, 2025
Last Updated:  October 1, 2025

New Service Provider Assessment

Prior to engaging a vendor, a comprehensive assessment shall be conducted to evaluate their capabilities, reliability, financial stability, and compliance with relevant laws and regulations. The vendor assessment will vary depending on the assessed level of risk and will comply with the Gramm-Leach-Bliley Act (GLBA) Information Security Program Policy.

See Vendor Risk Assessment Procedures for steps and expected turn around times.  

Sharing of Confidential Data

If SPU intends to share confidential information ( Data Classifications ) with any service provider, SPU must enter into a written agreement with the service provider to comply with state and federal law. Agreements involving institutional data must adhere to the Institutional Data Policy and take into account any Data Regulatory Compliance issues. Additionally: 

Risk Level Assessment

The assignment of the inherent risk of any vendor should be based on several considerations. Of primary concern is the type of data to which the vendor will have access. However, other factors might include legal, regulatory, compliance, and other considerations such as the availability and uniqueness of services provided.  All vendors should be assigned an inherent risk ranking per the guidelines below.  Most vendor risk assessments will use the Higher Education Community Vendor Assessment Toolkit (HECVAT).

No Risk
These vendors 1) would have no access to any type of information, and no opportunity to access sensitive information when conducting services, 2) services are not unique or special in the marketplace, 3) have multiple competitors available that can offer replacement services with no disruption to business functions, 4) do not pose any other type of risk per the above. Examples include: Balloon animal vendor for one-time entertainment during an event paid via credit card; food-truck concession vendor given permission to park and sell concessions to attendees at a conference.

Low Risk
These vendors 1) would have little to no access to any type of sensitive information and little opportunity to access sensitive information when conducting services, 2) services are not unique or special in the marketplace, 3) have multiple competitors available that can offer replacement services with very little to no disruption to business functions, 4) do not pose any other type of risk per the above. Examples include: Landscaping firm contracted to care for shrubs and cut grass for outside areas, properly escorted HVAC contractor on-site to change air filters.

Moderate (Medium) Risk:
These vendors 1) would have access to a limited amount of sensitive information and/or some opportunity to access sensitive information when conducting services, 2) services are not unique or special in the marketplace, 3) may have some competitors available that can offer replacement services with some disruption to business functions, 4) may pose some other type of risk per the above. Examples include: bulk email marketing distribution vendor who maintains list of email addresses and names of employees or clients, Compensation analysis vendor who would have access to anonymized compensation data for employees at the firm.

High Risk:
These vendors 1) would have access to a significant amount of sensitive information and/or great opportunity to access sensitive information when conducting services, 2) services may be unique or special in the marketplace, 3) may have some competitors available that can offer replacement services, however, significant disruption to business and operational functions would be incurred, 4) may pose some other type of risk per the above. Examples include: Outsourced Human Resources vendor, Data processing vendor for credit card transactions, tax preparer, 401K services provider.

 

Vendor Relationship Management

Provider relationships should be periodically reviewed based on the risk they provide to the institution and the ongoing value of the partnership

  1. Review contract for any obligations either party has failed to perform.

  2. Review costs for ongoing and one-time services.

  3. Review any changes to security procedures/policies.

  4. Request updated vendor security assessment such as SOC1 or SOC2 reports.

  5. Assess quality of service, updates and support.

    1. Problems, updates, improvements, support experience, training/documentation.

  6. Provide feedback to vendor on the above review. This can often happen during renewal conversations.

  7. Software contracts must adhere to the Enterprise Software Acquisition policy and require a Higher Education Community Vendor Assessment (HECVAT).

 

See Vendor Risk Assessment Procedures for steps and expected turnaround times.  

Contract Renewal

  • Contracts shall be reviewed before renewal with respect to any regulatory changes that may impact the business relationships.  

  • A process for transitioning services and data in the event of contract termination shall be contractually established if it is not already defined.

Contract Termination and Offboarding

The Business Sponsor is responsible for ensuring that relationships terminate in an efficient manner, whether the activities are transitioned to another third party or in-house, or discontinued. In the event of contract default or termination, the Business Sponsor will have a plan to address required activities in an appropriate manner. This plan should address the following concerns as applicable:

  • capabilities, resources, and the time frame required to transition the activity while still managing legal, regulatory, customer, and other impacts that might arise.

  • risks associated with data retention and destruction, information system connections, and access control issues, or other control concerns that require additional risk management and monitoring during and after the end of the third-party relationship.

  • handling of joint intellectual property developed during the course of the arrangement.

  • reputation risks to Seattle Pacific University if the termination happens as a result of the third party’s inability to meet expectations.

  • ensure that any access to data systems or resources has been revoked or terminated.

The extent and flexibility of termination rights may vary with the type of activity.

Record Keeping

The master vendor inventory and all documentation (contracts, risk assessments, checklists, financial reviews, SSAE-16s’, etc.) relating to each vendor will be maintained by the Office of Business and Finance. The Business Sponsors are responsible for the contractual relationship will also be responsible for requesting the information required for the annual review.

 

Policy Enforcement

Failure to comply with this Vendor Assessment and Contract Review Policy may result in disciplinary actions, including termination of employment or contract termination.

Related Policies and Procedures

Roles and Responsibilities

Seattle Pacific University has assigned the following roles and responsibilities 

Business Sponsor

  • Conducts due diligence/screening of vendors (e.g., references, annual reports, Internet searches).

  • Supports other aspects of vendor assessment as needed per this policy.

Vice President or Dean

  • Assesses and addresses any regulatory risk and compliance requirements.

  • Reviews contracts and suggests proper contractual language in accordance with the Contract Review Policy.

Department Reviews

Department reviews may be required depending on the type of contract or services.  See Contract Review Policy for details.

  1. Evaluation of vendor qualifications and references. 

  2. Assessment of vendor financial stability. 

  3. Review of the vendor's legal and regulatory compliance history. 

  4. Evaluation of the vendor's data security and privacy practices. 

  5. Examination of the vendor's insurance coverage and liability.

  6. Contractual negotiated terms for the eventual end of the vendor relationship (see