RISK OPERATIONS CENTER (RIC ONE ROC)
VENDOR MANAGEMENT RISK OPERATIONS CENTER (RIC ONE ROC) OVERVIEW
RIC One is designed to coordinate efforts between the twelve statewide Regional Information Centers (RICs). The centers work collaboratively as one to provide efficient and unified statewide technology leadership and innovative solutions. The RIC One Vendor Management Risk Operations Center (RIC One ROC) is implementing centralized, standardized, cost-effective, and sustainable processes to manage vendor risk. In Phase 1, during the 2023-2024 school year, the RIC One ROC focused on the protection of data. Specifically, the ROC focused on developing a structure that supports the efficient execution of Data Privacy Agreements. This page explains the RIC One ROC current and future functions. The functions are identified in the dark blue boxes. Important vendor management functions that are outside of the scope of the RIC One ROC are also identified in the light blue boxes. To learn more review the diagram below.
STRATEGIC SOURCING
DUE DILIGENCE DATA PROTECTION PROCESSES
Strategic Sourcing and Procurement involves leveraging policies and processes to obtain technology and IT services in compliance with state laws and best practice. In the future, for priority vendors, the RIC ONE ROC plans to perform due diligence efforts to identify cybersecurity risks. (NIST CSF 2.0 GV.SC-06 Alignment)
MASTER SERVICE AGREEMENTS (MSAs) 1
DATA PRIVACY AGREEMENTS (DPAs)
Contract Management involves negotiating terms that address legal and regulatory requirements. Additionally, other terms are negotiated to mitigate risk. The RIC One ROC works with data privacy partners, such as NYSED, A4L’s Student Data Privacy Consortium, and the TEC Student Data Privacy Alliance, to maintain a centralized and standardized structure that supports the negotiation, execution, and management of data privacy agreements. (NIST CSF 2.0 GV.SC-05 Alignment)
Risk Management involves implementing processes to minimize risks associated with third-party products and vendors. The RIC One ROC is developing processes to influence vendors’ cybersecurity postures, the quality of products and services, and vendors’ plans for existing and new solutions. (NIST CSF 2.0 GV.SC Alignment)
- - 3
1 There are other consortium and collaboration structures that the BOCES and RICs leverage to support the areas that are out of scope. For example, Erie 1 BOCES/ WNYRIC and Capital Region BOCES manage contract consortiums. Additionally, BOCES and RICs have local practices that support procurement and MSA needs. The new RIC One ROC processes complement these existing BOCES structures. OUT OF SCOPE RISK MANAGEMENT DATA PROTECTION RISK MANAGEMENT SOLICITATION AND SELECTION PROCESSES 1 PERFORMANCE RISK MANAGEMENT VALUE RISK MANAGEMENT CONTRACTS MANAGEMENT PURCHASE AND PAYMENT PROCESSES $ $ NEW YORK STATE REGIONAL INFORMATION CENTERS
YEAR 1 FOCUS NIST CSF ALIGNMENT DATA PROTECTION FUNCTIONS 2023-2024 (YEAR 1) FOCUS
RIC ONE ROC FUNCTIONS
NEW YORK STATE REGIONAL INFORMATION CENTERS
RISK OPERATIONS CENTER (RIC ONE ROC)
RISK OPERATIONS CENTER (RIC ONE ROC) PRODUCT SCOPE
This diagram includes information about product segmentation. The 2023-2024 pilot product scope and 2024-2025 anticipated product scope is defined. The rest of the information mirrors the diagram on Page 3. The new RIC One ROC processes complement existing BOCES collaborative contracts consortiums. Together, these centralized, standardized, cost-effective, and sustainable vendor management processes support NYS educational agencies in efficiently and effectively addressing priority vendor responsibilities.
SOLICITATION AND SELECTION PROCESSES 1 RIC ONE ROC PRODUCT SCOPE
STRATEGIC SOURCING
ONE ROC FUNCTIONS RIC ONE ROC PRODUCT SCOPE
NIST CSF ALIGNMENT
Strategic Sourcing and Procurement involves leveraging policies and processes to obtain technology and IT services in compliance with state laws and best practice. In the future, for priority vendors, the RIC ONE ROC plans to perform due diligence efforts to identify cybersecurity risks. (NIST CSF 2.0 GV.SC-06 Alignment)
‣ 2023-2024 Scope None
‣ 2024-2025 Scope New 7710 potential financial management systems and student management systems.
CONTRACTS MANAGEMENT
MASTER SERVICE AGREEMENTS (MSAs) 1
DATA PRIVACY AGREEMENTS (DPAs)
Contract Management involves negotiating terms that address legal and regulatory requirements. Additionally, other terms are negotiated to mitigate risk. The RIC One ROC works with data privacy partners, such as NYSED, A4L’s Student Data Privacy Consortium, and the TEC Student Data Privacy Alliance, to maintain a centralized and standardized structure that supports the negotiation, execution, and management of data privacy agreements. (NIST CSF 2.0 GV.SC-05 Alignment)
‣ 2023-2024 Scope Products, and the related vendors, selected by NYS pilot educational agencies.
‣ 2024-2025 Scope Products, and the related vendors, with access to students’ personally identifiable information.
RISK MANAGEMENT
DATA PROTECTION RISK MANAGEMENT
PRODUCT SCOPE DECISION-MAKING
‣ Product segmentation, categorization, and tiering strategies are used to assist agencies in allocating the right resources to the right products.
‣ The ROC uses these strategies to inform resource allocation.
‣ The scope of products addressed varies based on Function.
‣ Example segmentation, categorization, and tiering criteria are highlighted below.
PERFORMANCE RISK MANAGEMENT VALUE RISK MANAGEMENT
Risk Management involves implementing processes to minimize risks associated with third-party products and vendors. The RIC One ROC is developing processes to influence vendors’ cybersecurity postures, the quality of products and services, and vendors’ plans for existing and new solutions. (NIST CSF 2.0 GV.SC Alignment)
Data Protection Risk Management
‣ 2023-2024 Scope SchoolTool
‣ 2024-2025 Scope Tiering-informed products from the 793 Appendix C Section 7710.
Performance Risk Management 2023-2025 Scope 7710 products to be determined based on Directors’ decision-making.
Value Risk Management 2023-2025 Scope None
1 There are other consortium and collaboration structures that the BOCES and RICs leverage to support the areas that are out of scope. For example, Capital Region BOCES and Erie 1 BOCES manage contract consortiums.
- - 4
PRODUCT SCOPE KEY CRITERIA USE LEVEL DATA SENSITIVITY PRODUCT CRITICALITY SERVICE DEPENDENCY SWITCH COSTS DATA REPORTING
SCOPE
RIC
OUT OF
DUE DILIGENCE PROCESSES
PURCHASE
$ $
AND PAYMENT PROCESSES
VENDOR MANAGEMENT RISK OPERATIONS CENTER (RIC ONE ROC) BENEFITS
CONTRACTS MANAGEMENT
DATA PRIVACY AGREEMENTS (DPAs)
a centralized, standardized, costeffective, and sustainable DPA structure RISK
DATA PROTECTION RISK MANAGEMENT
This Function includes processes to streamline DPA negotiation work. Standardized language, a centralized negotiation team, and piggybacking functionality is used to support the execution of DPAs. School districts and BOCES can leverage the structure.
This function only addresses DPA needs. Educational Agencies will continue to negotiate or accept the standard terms defined in a Master Service Agreement.
PRODUCTS ARE TIERED TO SUPPORT RESOURCE ALLOCATION
PERFORMANCE RISK MANAGEMENT VALUE RISK MANAGEMENT
processes to manage vendor risks
DPAs THAT PROTECT STUDENT DATA FOR A BROAD SCOPE OF PRODUCTS
Tiering drives resource allocation related to Risk Management. Data sensitivity, service criticality, service dependency, participation levels, and switch costs are examples of criteria that impact tiering.
TIER 1
VENDORS TOP PRIORITY
This Function includes processes that are used to infl cybersecurity postures, the quality of products and services, and vendors’ plans for existing and new solutions.
DATA PROTECTION
VENDORS’ CYBERSECURITY POSTURE
PRODUCT PERFORMANCE
QUALITY OF PRODUCTS
PRODUCT VALUE
VENDORS’ PRODUCT ROADMAPS
MONITORING AND MANAGING PRIORITY RIC-SUPPORTED PRODUCTS
- - 5
NEW YORK STATE REGIONAL INFORMATION CENTERS
ROC) STANDARD TERMS CENTRALIZED NEGOTIATION TEAM PIGGYBACKING TERMS AND WORK FLOW
RISK OPERATIONS CENTER (RIC ONE
RISK OPERATIONS CENTER (RIC ONE ROC) DPA STRUCTURE OVERVIEW
RIC ONE ROC DATA PRIVACY AGREEMENTS (DPAs) FUNCTION
The RIC One ROC manages centralized, standardized, cost-effective, and sustainable processes to minimize vendor risk. One of the primary RIC One ROC roles is to streamline processes associated with contractual needs related to the protection of student data. In partnership with NYSED, the RICs are working with multi-state and national data privacy and security alliances invested in the K-12 vendor ecosystem to support the negotiation of data privacy agreements (DPAs). This page provides details about the RIC One ROC’s function that supports the execution of Data Privacy Agreements.
PARTNERS CENTRALIZING, STANDARDIZING, AND STREAMLINING DPA PROCESSES
At the national level, NYSED maintains an Access 4 Learning (A4L) Community membership. A4L manages an alliance that focuses on initiatives to support student privacy called the Student Data Privacy Consortium (SDPC). Through NYSED’s membership, NYSED, school districts, and BOCES are able to leverage A4L SDPC’s National Data Privacy Agreement (NDPA). At the multi-state level, the RICs maintain a TEC Student Data Privacy Alliance (TEC SDPA) membership. Through this membership, districts and BOCES can piggyback on existing agreements and request new agreements that leverage the NDPA. TEC and the ROC work together to support the negotiation of NYS terms.
The RIC ROC DPA management structure and a strategic field implementation plan was developed to support the state in leveraging the NDPA in a responsible manner. To complement the standard national terms, state-specific terms were developed by NYSED leaders/ attorneys, TEC attorneys, BOCES attorneys, RIC cybersecurity specialists, and RIC leaders. Contract managers and attorneys support the negotiation of DPAs using this common language. Once an educational agency executes an agreement negotiated by the centralized team, other agencies can piggyback on that DPA. In addition to supporting the efficient execution of DPAs, this new structure is used to support school districts, BOCES, RICs, and NYSED in holding vendors accountable, as common terms are negotiated into these agreements. This will be particularly valuable as NYSED and BOCES/RICs engage with vendors regarding breaches and security vulnerabilities. It is important to note that the approach will not address all field challenges. There are vendors unwilling to agree to the required terms. The diagram below illustrates the processes local educational agencies (LEAs) can use to access these DPAs. The top option is the process for piggybacking. Below the piggybacking option is the process to follow if there isn’t an existing agreement in place.
PROCESS FOR A NYS LEA TO PIGGYBACK ON AN EXISTING DPA OR INITIATE A NEW
AGREEMENT
1 This process only addresses DPA needs. Educational Agencies also need to negotiate or accept the standard terms defined in a Master Service Agreement. LOCATE AN EXISTING DPA PIGGYBACK ON AN EXISTING DPA REVIEW SUPPLEMENTAL INFORMATION REQUEST A DPA FOLLOWING NEGOTIATIONS, SIGN A DPA REVIEW SUPPLEMENTAL INFORMATION Search for an Existing Alliance DPA (TEC Negotiated Agreement with NYS Terms). As Necessary, Submit a New DPA Request. Piggyback on a Agreement Using the Exhibit E A4L SDPC Registry Functionality. Or, Sign an Originating LEA DPA. Enter MSA duration information and review the posted Ed Law 2-d Supplemental Information .
- - 6
STATES WORKING TOGETHER TO PROTECT DATA USING STANDARDIZED LANGUAGE AND COMMON PROCEDURES NEW YORK STATE REGIONAL INFORMATION CENTERS
RISK OPERATIONS CENTER (RIC ONE ROC)
RISK OPERATIONS CENTER (RIC
RISK OPERATIONS CENTER (RIC ONE ROC) DATA PROTECTION MONITORING OVERVIEW
RIC ONE ROC DATA PROTECTION RISK MANAGEMENT FUNCTION
The RIC One ROC is implementing centralized, standardized, cost-effective, and sustainable processes to manage vendor risk. One of the primary RIC One ROC roles will be to monitor and influence vendors’ data security controls. This will be done through functions that assist the centers in understanding, prioritizing, responding to, and monitoring risks over the course of the relationship. Vendor tiering will be used to prioritize products that are managed through these structures. Please be aware that this function is not yet developed and the high-level vision and plan documented on this page is expected to be refined.
RIC ONE ROC TIERING LEVELS AND CRITERIA USED
Tiering drives resource allocation related to Risk Management. Tiering levels and criteria are illustrated below.
TIERING LEVELS
TIER 1 VENDORS TIERING CRITERIA
CRITICALITY
RIC ONE ROC PROCESSES TO MONITOR AND INFLUENCE VENDORS' DATA
The ROC will engage with vendors to support proactive planning regarding critical data security controls and to verify vendors are complying with priority contractual obligations.
NIST CSF 2.0 ALIGNMENT
These RIC One Data Protection Risk Management Processes align with the NIST CSF 1.1 and 2.0 Supply Chain Category. Currently, NIST CSF 1.1 is the Standard for Data Privacy and Security for NYS Education Agencies. Below are example controls aligned with this RIC One ROC function from the 2.0 framework.
SUPPORT PRODUCT PRIORITIZATION
TO
- - 7
SECURITY CONTROLS
USE LEVEL HIGH USE BY NYS ED AGENCIES SERVICE DEPENDENCY NO OR FEW VIABLE ALTERNATIVES DATA SENSITIVITY
SWITCH COSTS HIGH
RESOURCE NEEDS
PROTECTED OR SENSITIVE DATA
MIGRATION
PRODUCT
SERVICE DISRUPTION IMPACT DATA REPORTING USED TO SUPPORT NYSED REPORTING
RIC ONE ROC USES ONGOING BREACH
CYBERSECURITY
RISK MANAGEMENT PROGRAM, STRATEGY, OBJECTIVES, POLICIES, AND PROCESSES ARE ESTABLISHED
AGREED TO
STAKEHOLDERS
KNOWN
NEW YORK STATE REGIONAL INFORMATION CENTERS
SUPPLY CHAIN RISK MANAGEMENT GV.SC GV.SC-01 A CYBERSECURITY SUPPLY CHAIN
AND
BY ORGANIZATIONAL
GV.SC-04 SUPPLIERS ARE
AND PRIORITIZED BY CRITICALITY GV.SC-07 THE RISKS POSED BY A SUPPLIER, THEIR PRODUCTS AND SERVICES, AND OTHER THIRD PARTIES ARE UNDERSTOOD, RECORDED, PRIORITIZED, ASSESSED, RESPONDED TO, AND MONITORED OVER THE COURSE OF THE RELATIONSHIP
ROC)
ONE
RISK OPERATIONS CENTER (RIC
Chantal Corbin Central New York RIC ccorbin@cnyric.org
Brittany Rizzo Mohawk RIC brizzo@moric.org
Don Harple Northeastern RIC don.harple@neric.org
Lori DeForest Central New York RIC ldeforest@cnyric.org
Joe Bufano Central New York RIC jbufano@ocmboces.org
Kathleen Moorhead ROC Consultant patonconsultingllc@gmail.com
Mike Doughty Northeastern RIC michael.doughty@neric.org Tom Guillon South Central RIC tguillon@btboces.org
Heather Mahoney Mohawk RIC hmahoney@moric.org
Ashleen Speen South Central RIC aspeen@btboces.org Monica Statile Northeastern RIC monica.statile@neric.org
Ryan Mahoney Mohawk RIC rmahoney@moric.org
Chris Grieco Mohawk RIC cgrieco@moric.org
Kristine Kipers Mohawk RIC kkipers@moboces.org
Chrissy Choi South Central RIC cchoi@btboces.org
Phil Sage South Central RIC psage@btboces.org
Kelly Twitchell South Central RIC ktwitche@btboces.org
KellyRose Yaeger Northeastern RIC kellyrose.yaeger@neric.org
David Pellow Mohawk RIC dpellow@moboces.org
2023-2024 RIC ONE ROC TEAM
PROJECT COMPLIANCE AND GUIDANCE CYBERSECURITY SPECIALISTS DATA PRIVACY AND SECURITY FIELD SUPPORT RIC DIRECTORS RIC ONE ROC PARTNER AGENCIES, ALLIANCES, AND CONSORTIUMS Lisa Waters SDPC Registry Programmer Steve Smith Interim A4L Leadership NATIONAL CONSORTIUM A4L STUDENT DATA PRIVACY CONSORTIUM NYS EDUCATION DEPARTMENT DATA PRIVACY AND SECURITY OFFICE MULTI-STATE ALLIANCE TEC STUDENT DATA PRIVACY ALLIANCE Felicia
Attorney Ramah
TEC SDPA Director Joseph Krummel Senior Attorney Louise DeCandia Chief Privacy Officer Murphy, Hesse, Toomey & Lehane, LLP. APPLICATIONS SPECIALISTS - - 8 NEW YORK STATE REGIONAL INFORMATION CENTERS
ONE ROC)
Vasudevan
Hawley
PROJECT MANAGEMENT 2023-2024 ROC CONTRIBUTORS
Directors of the Regional Information Centers BOCES Contracts Consortiums Regional Implementation Teams for the DPAs Structures RIC One Communications Collaborative RIC ONE ROC PILOT PARTNER RIC ONE AND BOCES/RIC COLLABORATIVES
