Cybersecurity Risk Rating Tool

The vendor required to provide cybersecurity risk rating tool to automate the collection and analysis of externally available third-party risk data.
- Requirement:
1. Data output for subscriber
•    Solution provides risk-prioritized findings that quantify for the university’s external facing assets and each third-party system both the (1) the severity of each security issue and (2) the asset value, or impact if compromised.
•    The solution enables categorizing assets and vendors by department and point of contact
•    The solution enables creation of action plans, based on risk priority
•    Solution provides interactive knowledge base with straightforward explanations and recommended actions for individual findings
•    Solution provides all corroborating evidence to customer without limitation - including but not limited to IP address, host name and IT configuration – to support conclusions.
2. Data gathering and accuracy
•    Methods for building your company profiles and security assessments.
•    Frequently is each vendor’s profile refreshed
•    Quickly can a new vendor be profiled
•    Identify any security findings or criteria obtained from third-party sources and how you guarantee those findings are refreshed at the same frequency identified above.
3. Third-party collaboration and outputs
•    Solution enables sharing of findings with subscriber’s third parties
•    Any limitations regarding what data and findings subscriber can share with their third-party using the above process.
•    Any fees the third-party is required to pay solution provider in order to obtain complete access to same data and findings as subscriber has.
•    Any time restrictions (without additional fees paid) on any of the data to which the third-party is given access.

- Contract Period/Term: 5 years