Penn has a Vendor Security Technical Assessment of Risk (V-STAR) questionnaire for vendors as part of our SPIA process. This document is intended to help guide vendor responses about existing or planned security controls protecting hosted data and/or systems. Responses are used to evaluate the vendor's existing security posture and whether it meets Penn’s current recommendations and guidelines.
Whenever possible, vendors or operators of other outside systems which handle sensitive or confidential information should complete this questionnaire; especially, if possible, before any decision is made to contract with the vendor to host university data.
Download the questionnaire from https://www.isc.upenn.edu/sites/default/files/v-star_v2.pdf. For a helpful video describing the items on the questionnaire and what is expected for them, go to the Penn KnowledgeLink gateway, log in with your PennKey and use the "Find Learning" box to search for V-STAR. For assistance determining risk classifications in the form, see ISC's Penn Data Risk Classification page.