Third-Party Risk Assessments

Information security is always available for consultation!  If you have a questions regarding security, compliance or privacy, please reach out to us.  Or, if you would like for us to evaluate an aspect of your business, a risk assessment can be requested at any time.  

What is a risk assessment?

A risk assessment is an identification and analysis of risks faced by the school, centers, departments or groups. Risk is the potential of an incident happening that may result in unwanted loss of an asset or delay to normal business operations. 

When are risk assessments required?

Risk assessments are required prior to any University department or employee contracting with an outside entity that with either:

  • Have access to Medical School PHI, PII or Student (FERPA) data
  • Have access to the Medical School network

Why is a risk assessment required?

Risk assessments are performed to ensure that Medical School data ia adequately protected and that contractual obligations concerning information security, compliance and privacy are met and that the contract owner is aware of any precautions that need to be taken.

What information is needed in order for Information Security to complete a risk assessment?

To begin a risk assessment, Information Security requires the following:

  • A copy of the proposed contract and any contract appendacies

What does the risk assessment process entail?

Information Security will review the proposed contract for any security, compliance or privacy language.  If necessary, Information Security will request additional information/documentation from the outside entity to gain clarification around their security controls.   

How do I initiate a risk assessment?

Please submit a risk assessment request via the online form or email to

I am not sure if my contract requires a review, what should I do?

Please send us an email at  We would be happy to address your questions and evaluate the need for an assessment.