Another tip in a series provided by the Offices of Information Security, Information Systems & Computing and Audit, Compliance & Privacy

Changes are coming to Penn’s V-STAR (Vendor Security Technical Assessment of Risk) questionnaire, which Penn community members use to assess technology risks posed by vendor-provided solutions. As of September 1, 2024, two new questions will be added, one replacing and clarifying the existing question about data, and the other a new question about artificial intelligence (AI). For more information about Penn’s stance on AI, please see the University’s guidance document here:  https://www.isc.upenn.edu/security/AI-guidance.

The updated V-STAR with the new questions is available here:  https://www.isc.upenn.edu/security/vstar.

These new questions begin a general overhaul of the V-STAR questionnaire. Over the next year, Penn plans to transition V-STAR from being a Word document into an automated online solution using software called Risk Cloud. As part of the transition, the V-STAR questions are being revised.  

The revised questionnaire and new software will have several benefits:

• V-STAR responses can be stored so Penn community members can see if a V-STAR has already been completed for a particular vendor
• A workflow for assessment of vendor responses will be deployed, so V-STAR responses do not have to be transmitted via e-mail or Secure Share
• Attachments can be included, such as a SOC2 Type II report or other documentation from the vendor
• Aggregate reporting on V-STAR responses can be conducted

This project is being spearheaded by the Office of Information Security, with participation from the Privacy Office and Procurement Services. To learn more, please join us at the Q&A sessions on September 17 and October 16. Please contact younes@upenn.edu to register for the sessions.

For additional tips, see the One Step Ahead link on the Information Security website: https://www.isc.upenn.edu/security/news-alerts#One-Step-Ahead.