Skip to main content
NC School Connectivity Initiative

Service Provider Management

Develop a process to evaluate service providers who hold sensitive data, or are responsible for an enterprise’s critical IT platforms or processes, to ensure these providers are protecting those platforms and data appropriately.

Program Services & Resources

The following services and resources are provided by the NC K-12 Cybersecurity Program and provided to PSUs at no cost to help execute the actions defined in the K-12 CORE Safeguards:

Why is Service Provider Management Important?

In today’s interconnected world, enterprises increasingly depend on vendors and service providers to manage data and support core operations, making third-party security a critical concern. Breaches involving these partners, ranging from early retail industry compromises to modern ransomware attacks, can cause major disruptions or even directly impact PSU systems. Regulations like CIPA mandate extending security measures to these third parties, making third-party risk a key component of governance, risk, and compliance (GRC). Despite longstanding efforts to review third-party security, there is no universal assessment standard, leading to inefficiencies as providers undergo multiple, varied audits. While large providers receive significant scrutiny, smaller vendors, and even their subcontracted partners, often pose greater risks, especially when layered dependencies exist.

What can you do?

Enterprises have traditionally used frameworks like ISO 27001 or CIS Controls to assess third-party security, often managing the process through spreadsheets, though centralized online platforms are now available. However, the emphasis should be on building a strong, fundamental program rather than relying solely on checklists. Regardless of size, every PSU should have a policy for reviewing service providers, maintain an up-to-date vendor inventory, assign risk ratings, and include contractual language to ensure accountability in the event of a security incident. Modern third-party assessment platforms offer centralized views of provider risk using dynamic scores from technical evaluations and shared assessments. Reviews should focus on the specific services or departments that interact with the enterprise, and providers with cybersecurity insurance or managed security services can help mitigate risk. Finally, secure decommissioning of vendors is essential when contracts end, involving account deactivation, stopping data transfers, and ensuring secure data disposal.

Specific details and procedures are outlined in the K-12 Cybersecurity CORE Safeguards.

**NC K-12 Cybersecurity Community Mailing list subscription is required to access the CORE Safeguard materials**