When multiple faculty members or departments need to purchase the same software, the Governance, Risk, and Compliance (GRC) department assesses the Third-Party Risk Management (TPRM) approval process. Below is an overview of the key factors and guidelines provided by the GRC:
The GRC evaluates the following three criteria during the TPRM process:
Type of Data Involved
Determining the nature of the data being handled.
Data Storage Location
Identifying where the data is stored (e.g., cloud storage, on-premises).
Vendor Access to Data
Understanding whether the vendor has direct access to the data.
If all three factors are deemed low-risk, the GRC will advise the submitter to proceed with the requisition process. However, if any risks are identified—such as data stored in the cloud or handling of personal/privacy data classified as P3/P4—the GRC will conduct a more thorough vendor review to ensure data security. Additionally, different use cases among users may pose challenges, as each case may require a unique risk evaluation.
Each faculty member or department must submit an individual TPRM request, even for the same software.
The GRC suggests a workaround for identical software purchases with the same use case:
However, it is important to note that separate purchase orders cannot reuse the same TPRM approval number, as this will be flagged by Purchasing.
The GRC has identified two other reasons for maintaining individual TPRMs:
Software Inventory Tracking
This helps the institution keep track of software usage, which may be beneficial for negotiating campus-wide licenses.
Security Notifications
In the event of a security breach, the security office needs to notify the specific users affected so that appropriate actions can be taken.