Another tip in a series provided by the Offices of Information Security, Information Systems & Computing and Audit, Compliance & Privacy

As of November 1, 2025, Penn is transitioning the Vendor Security Technical Assessment of Risk (V-STAR) process from being a Word document into an automated online solution, using the Risk Cloud software. V-STAR is an extremely important function for assessing security and privacy risk to Penn data when stored in external, third-party systems.  Any vendor that will store or transmit moderate or high-risk data (according to Penn’s Data Risk Classification scheme, located here:  https://isc.upenn.edu/security/penn-data-risk-classification) should complete the V-STAR process.

As part of the transition, the V-STAR questions are being revised.  The revised questionnaire and new software will have several benefits:

• V-STAR responses can be stored, so Penn community members can see if a V-STAR has already been completed for a particular vendor.
• A workflow for assessment of vendor responses will be deployed, so V-STAR responses do not have to be transmitted via e-mail or Secure Share.
• Attachments can be included, such as a SOC2 Type II report, that verify a service provider’s security controls, or other documentation from the vendor.
• Aggregate reporting on V-STAR responses can be conducted.

The new system can be accessed from the V-STAR webpage here: https://isc.upenn.edu/security/vstar

The new V-STAR application is sponsored by the Office of Information Security, in consultation with the Privacy Office and Penn Procurement Services.  For any questions, please contact ASK_TPRM@lists.upenn.edu.

--

For additional tips, see the One Step Ahead link on the Information Security website: https://isc.upenn.edu/security/news-alerts%23One-Step-Ahead.