Third-Party Assessments: Not Just a Questionnaire

Four years ago, Indiana University began assessing the security of cloud vendors and other third parties using a simple questionnaire. Over time, the process has matured to take advantage of IU's data-classification system and a more formal governance structure involving institutional data stewards and compliance groups. We've also improved our assessment questionnaire and the data-protection language that goes into our contracts. In this presentation, we will track IU's progress on third-party assessments, including successes and obstacles, while encouraging attendees and online participants to share parallel experiences from their own institutions. We'll also discuss goals for future improvements.