Skip to Main Content
Any non-University, outside entity, including non-profit groups and non-registered student organizations on campus (e.g., vendors, service providers, grant providers, unregistered fan clubs, unregistered student groups, and unregistered interest/support groups), can be classified as a third party.
It is important to manage third-party risks to make informed risk decisions and comply with regulatory requirements. Failure to adequately manage third-party risk may increase UCLA’s exposure to operational risks, major personal data loss, financial losses, and significant, and adverse reputational impact.
The Department/Unit engaging with the third party is accountable for managing the third-party relationship and associated risks. UCLA stakeholders such as OCISO, Campus Purchasing, Privacy, Accessibility Office, CRE, etc. perform additional risk assessment activities to assist the Unit with risk identification and mitigation.
The responses to the UCLA Triage Form questions help to identify applicable risks and drive the subsequent risk management activities and third-party oversight requirements. 
The Third-Party Risk Assessment is used to review a third party’s ability to comply with UCLA’s data security expectations. The assessment reviews the third party’s controls related to data security, business continuity & disaster recovery, application security, network security, vulnerability management, etc. and identifies control gaps, as appropriate.
When outsourcing services/products to a third party, it is important that risks arising from the outsourced activity are managed to prevent harm to UCLA.
The Department/Unit should ensure that the OCISO, Data Privacy and Accessibility Offices, OGC, and Insurance are included during the contract negotiations and discussions of any material deviations to UCLA’s standard terms and conditions, as applicable.
When there is a seemingly unresolvable, internal dispute between Department/Unit leaders and UCLA’s risk assessors about whether or how to manage critical third-party risks, the CRE can be called upon to make a final determination. 
From the time of initiating a third-party request, it may take up to nine weeks to conduct triage, assess the third party, and review third-party contracts.
TPRM Triage is an approach to assess the risk a third party (suppliers, consultants, or business partners) poses to UCLA and mitigating the identified risk before and after establishing a business relationship. 
Yes, and included are the vendor questionnaires (e.g., Full, Lite and Ultra-Lite) used for all domestic and international vendors. 
The new TPRM v2 has been released for UCLA campus and Non-Mednet departments. For Mednet it will be released on March, 2023. (Note: TPRM assessments for Mednet departments are handled through a separate process by UCLA Health). 
After the IT Security review has been completed, you can submit a requisition to Campus Purchasing.