In July 2023, UCLA’s Governance Risk & Compliance team (GRC) won the Design Innovation, IT Security, and Operational Excellence UC Tech Silver Award for their project “Managing Vendor Risk One Triage at a Time.”
Summary
The UCLA Third Party Risk Management (TPRM) program supports over 40,000 students and staff. The project, “Managing Vendor Risk One Triage at a Time,” was aimed to automate the TRPM process within ServiceNow (SNOW). The success of the project is measured by its operational impact on UCLA, which fulfills the IS-3 security requirements, and its expansion for use at UCLA Mednet. Through the use of ServiceNow, the UCLA team was able to transform a complex process into a simple repeatable solution that enables the team to proactively manage vendor risk. The UCLA team worked on this project for two years with fast success. After releasing version 1, the team was already working on version 2 and subsequently released the product in early 2023. Version 2 was created to respond to user feedback and challenges.
These challenges included the following:
- Improving the interface
- Consolidating and reducing the number of questions within the triage form
- Implementing the ability to repurpose previous assessments
- Providing real-time status for submitted tickets
The team was able to customize the SNOW portal used for service tickets and develop an original user-friendly interface. The GRC team created a triage form within the interface which reduced the number of questions by 66%. Lastly, the GRC team utilized creative and complex scripting on the back end to repurpose completed assessments and add versioning to understand assessment timelines.
Team members
Governance (GRC) Team
- Ernesto Carrasco, Director, ITS, UCLA, Staff
- Harold Shin, Sr. IT Risk Analyst, ITS, UCLA, Staff
- Shun, Tsukazaki, ITS, Deloitte (Staff Augmentation)
ServiceNow (SNOW) Team
- Mike Quirk, Manager, ITS, UCLA, Staff,
- Anna Santa Cruz, ITS, UCLA, Staff
- Rohith, Thakkallapally, ITS, UCLA, Staff
Initiative details:
UCLA’s team wanted to be proactive in managing security to stay ahead of cyber risk. “Managing Vendor Risk One Triage at a Time” was able to increase security and response speed. The system has addressed the following:
- Legal needs to potential risk, data protection and security, and proper contracting
- Information security needs to ensure IS-3 cyber risk requirements
- Engineering needs to ensure quick and accurate implementation and integration. For example, outsourced vendors will only have access to information based on data’s level of risk.
Implications
The creation of the project has reduced the overall assessment time by 66% while improving the experience for end users. TPRM requests and review time has been shortened by 50% or more. This project implementation has huge positive impacts on UCLA’s campus and medical center which affects more than 40,000 personnel. UCLA hopes to expand the use of its tool to other UC schools, so institutional information and IT resources are protected UC-wide.
Learn more
To learn more, please email grc@ucla.edu.