Office of the Chief Information Security Officer

IT Vendor Risk Management

Better vendor relationships

Making a wise investment in a vendor-provided information technology solution is challenging. The concerns of operational, technical, and administrative stakeholders must be integrated in a holistic way, whereby the needs of specialty disciplines are evaluated and balanced to produce a relationship with the vendor that is functional, manageable, and responsible.

The Office of the CISO provides IT Vendor Risk Management as an advisory service available through the UW-IT Service Catalog. Support is available throughout the lifecycle of the vendor relationship.


Is there a "how-to" guide that I can read for the procurement process?

Yes, on the IT Sourcing Guide web page.

What is the University’s policy for vendor cybersecurity?

Under APS 2.6, Executive Heads of Major University organizations are responsible for the risks associated with their assets. To satisfy this responsibility, they must exercise and demonstrate due care in securing their information assets and technical capabilities.

What is the University’s policy for IT projects?

All IT projects conducted within any unit or by any individual, regardless of their cost, must comply with APS 2.3 and adhere to the stewardship guidelines for IT Projects and Acquisitions.

Does the Office of the CISO approve IT purchases?

The Office of the CISO neither approves nor forbids any transaction but is often brought in as a resource that empowers informed decision-making and encourages cross-discipline cooperation.

Do I need to seek help at the start of the procurement process?

Not at all. Information technology lifecycles are continuous. We will meet you wherever in the process you may be.

What if I still have questions?

Questions should be directed to UW Procurement Services as early as possible. They will ensure that the correct subject matter experts and supporting offices can be coordinated to assist your effort.