Skip to main content

IT Risk Assessment

Service Description

A risk is a threat and its potential to affect institutional finances, reputation, security, and compliance. A risk assessment is a process that identifies potential risks and the appropriate mitigations based on impact. IT Security conducts two types of risk assessments: General Risk Assessments and Vendor Risk Assessments.

General Risk Assessment

A General Risk Assessment is the identification and review of risks associated with internal processes and procedures. It can be broadly applied and will help narrow next steps for increasing security and lowering risk. Examples of scenarios when this service may be needed are assessing risk associated with the collection and storage of student information, application development and website security, or reviewing information systems that support sensitive research. It is available to all university faculty and staff.

Vendor Risk Assessment

A Vendor Risk Assessment is the evaluation of risk associated with using 3rd party products and services. This assessment may be needed when procuring Software as a Service (SaaS), Platform as a Service (PaaS), or Infrastructure as a Service (IaaS). In these situations, Vanderbilt is subscribing to a 3rd party’s services where the vendor is responsible for security of Vanderbilt information and/or performing a business operation on our behalf. This service is a review of the vendor’s reputation, reliability, and security posture for ensuring business continuity and protection of information in their care.

This service is a consultation and should be conducted prior to the procurement of the SaaS, IaaS, or PaaS. It is available to all university faculty and staff.

Support Contacts

IT Security Risk & Compliance

Service Charges or Fees

There are currently no service charges or fees for this service. 

Requesting Service

General Risk Assessment

Vendor Risk assessment (3rd party)  or contact your Relationship Manager.

What You Can Request

General Risk Assessment 
Vendor Risk Assessment (3rd party) 

Related Services

Data Use Agreements (DUA)
Multi-factor Authentication (MFA)
Privileged Account Management (PAM)
Threat Monitoring, Detection, and Response (TMDR)
IT Security Policy Development and Lifecycle
Vulnerability and Systems Posture Assessment (VASPA)
IT Compliance Assessment
IT Security Awareness and Training
IT Security Consulting 


Security Policy and Compliance 

Service Category