- What is a "third-party service provider"?
-
A "vendor" or "third-party service provider" is an entity (e.g., a person or a company), separate from the university, that offers something for sale. The typical types of vendor services that require an ISO vendor risk assessment are technologies used to store, process, and/or transport protected data on behalf of the university, such as:
• Software as a Service (SaaS) providers - companies that provide hosted application services (e.g., Gmail, Calendly, Box)
• Infrastructure as a Service (IaaS) providers - companies that provide hosted data storage or processing services (e.g., Amazon AWS, Microsoft Azure)
These types of vendors are required to meet the campus policy standards for the protection level classification of protected data that is required for applications and services that are managed by internal campus IT resources.
- What is the purpose of the Vendor Risk Assessment Service?
-
The Vendor Risk Assessment (VRA) Service is intended to ensure that service providers who handle university data meet campus security policy requirements. This is primarily achieved in two ways:
• By evaluating the vendor's security controls in comparison to campus policy.
• Ensuring that the UCOP Data Security & Privacy Appendix is included in the vendor contract to provide baseline protection for the university in the event of a data breach.
- Are vendor services available that have already been approved?
- Review the information on the Vendor Risk Assessment page to identify vendors that have a Vendor Risk Assessment in place (or in process) and the level of data for which the assessment is valid. Contact the Information Security Office (ISO) at cybersecurity@ucdavis.edu for guidance before proceeding with purchase request based on existing VRA.
- I already have a completed Vendor Risk Assessment, why do I need to request another VRA for the same product?
-
While other circumstances may apply, the two most common drivers for renewing an existing VRA include:
• Vendor Risk Assessments (VRAs) reflect a point-in-time analysis of a Vendor's security program. The further your current purchase request is from the date the last VRA was conducted, there is a greater potential the Vendor's security posture has changed leading to the possibility that your data is at increased risk. A comprehensive risk management strategy requires understanding of Vendor's current security practices.
• The current use case is materially different than the use case considered in the existing VRA. The context of the VRA is a significant factor in the assessment process. If the context significantly changes, then guidance and recommendations may also need update for effective risk mitigation.
- How do I know if product or service is subject to IS-3 risk assessment policy?
-
The minimum requirement as it relates to contracting for third-party provided services calls for risk assessments of Cloud and Supplier services for Institutional Information classified at Protection Level 2 or higher. If you are uncertain whether a planned IT purchase is subject to IS-3 risk assessment policy contact FOA-VRA-Team@ucdavis.edu for assistance.
- How do I know if my data is sensitive?
-
Sensitive data is any data that you would not want to be shared with general public. Sensitive data could be financial information (e.g., credit card information, bank account information), Business information (e.g., accounting data, trade secrets, business plans, financial statements) or personal data (e.g., addresses, medical history, driver license numbers, phone numbers). If your data is related to student information, it could be subject to FERPA regulations.
• https://iet.ucdavis.edu/security/uc-davis-data-classification-guide
• https://cloud.ucdavis.edu/about-data-sensitivity-guide-questionnaire
- Who needs to be involved in a vendor risk assessment?
-
The roles that are typically involved in participating with a vendor risk assessment include the following:
Resource Owner or Proprietor
Campus unit representative who has overall responsibility for the application (e.g., budgeting and resource allocation).
Implementation Project Manager
Unit member responsible for the roll-out of the application or service, including (but not limited to) vendor selection, contract specifications, configuration, process-flow design, personnel training, etc.
UC Buyer
Representative in the UC Davis Procurement department responsible for the vendor contract negotiation.
Vendor Representative
Vendor contact responsible for completing the security questionnaire. Ideally, this person is a member of vendor security group or affiliated with the IT department and is knowledgeable regarding the vendor's security framework. Often times, the person in this role is a Sales or Customer Support Representative who facilitates communication between the vendor's IT staff and the ISO Assessor.
ISO Assessor
A member of the ISO analyst team assigned as the primary assessor responsible for the engagement with the unit.
- How do I get started?
-
Contact your IT support representative or email FOA-VRA-Team@ucdavis.edu for guidance on process and initiating a vendor security assessment with the Information Security Office.
Reference the FOA VRA Process Checklist for a full overview of the VRA process. -
Assistive Technology: How do I request and obtain software for accessibility and assistive related needs? Do I need to complete the VRA process?
-
The Client Services division of Admin IT manages the desktop install and licensing for FOA staff who need Assistive / Accessibility Technology, such as from Trello or Otter.AI and other solutions. To submit your request, fill-out the Client Services Software Purchase request form.
Individuals are not required to undertake the VRA process themselves, instead, the FOA VRA Team manages the process and coordinates with Client Services for the VRA Review and SCM Approval form needed to support the staff member's request(s).
