Filling out a form

Vendor Risk Assessment for FOA Units

Overview

A Vendor Risk Assessment (VRA) helps your department understand the risk associated with a third-party vendor’s IT solution (e.g., product or service) and the potential impact that could be posed to the institution's (UC Davis) overall security. While the importance of monitoring and managing UC Davis’ internal cybersecurity posture is commonly understood, it is equally essential to identify your vendors’ potential vulnerabilities and security risks and to treat them as our own. 

The University of California Office of the President (UCOP) IS-3 policy requires units perform a risk assessment when engaging with a supplier (vendor) who will be given access to institutional information and/or IT Resources classified at Protection Level 2 (P2) or higher. For more insight to UCOP's definition of institutional information and IT resources, please reference page 2 of the IS-3 policy. 

The VRA consists of an in-depth review of a vendor's security documentation and relevant artifacts by the Information Security Office (ISO) to determine the risk associated with the vendor and IT solution. The ISO forms an opinion of the risk level (low, medium, high) for the data classifications as defined by the UCOP Protection Level and Availability Level classification guides. The VRA report identifies security risks and findings for the unit's attention and provides recommendations for risk mitigations and contractual considerations to effectively reduce the overall risk level.

If the VRA concludes the vendor's cybersecurity posture is suitable for the department's Protection and Availability level requirements, the department will complete the Department Response and request approval from the Department Head in order to proceed with the purchase or renewal. If the vendor's cybersecurity posture is not suitable for the required data classification, in addition to the Department Response, the department may need to formalize a Risk Acceptance Request (see process below) prior to advancing through the procurement process.

IS-3 requires inclusion of Appendix Data Security (DS) for all UC contracts involving third-party access to covered data. Appendix DS establishes baseline protection for the institution in the event the Vendor suffers a data breach or security incident. If the data will be classified as P3 or higher, department's are encouraged to proactively share Appendix DS with the vendor for their consideration of the terms prior to entering into the final agreement.

The VRA process could impact a department's ability to procure or renew IT purchases. Departments are strongly encouraged to initiate the VRA ahead of any deadlines as the full process may take upwards of 4 months to complete. If you are planning to acquire or renew IT solutions that will collect, store, process and/or transmit P2 or higher data, the AdminIT FOA VRA Team can help you navigate the VRA steps with efforts to understand and comply with the IS-3 policy.

Process

Action

Activities

IT Consultation

Engage with your IT support team or email FOA-VRA-Team@ucdavis.edu early to discuss the business needs and benefits of the proposed technology. Build awareness of alternate tools and options that may be available. Receive input on IT support activity and effort. Understand Governance Committee engagement and requirements. Review the VRA process and information needed to efficiently navigate steps.

VRA Request

The VRA process begins with a single Vendor Risk Assessment request form. The ISO will review the request containing information about the intended use of the proposed service, data types involved, and other pertinent information to help determine whether a full risk assessment is needed.

It is common practice to be contacted by an ISO analyst to review the VRA request to ensure a common understanding of the use case, data classification, and assessment methodology.

Security Questionnaire and Documentation Request

Once the Chief Information Security Officer (CISO) determines whether a VRA is required and what methodology will be used, an ISO analyst will engage the provided vendor contact to request their completion of a standardized security questionnaire and to provide relevant security documentation designed to measure vendor risk. The analyst will also research publicly available information to support the assessment.

Assessment and Report

The assigned ISO analyst will review the security documentation provided by the Vendor and evaluate the vendor’s security posture for the vendor's ability to protect the confidentiality, integrity, and availability of institutional information and assets. The final deliverable will be a risk assessment report including findings, recommendations on how to improve overall security and compliance, and opinions on risk in light of other security controls and mitigating factors.

It is important to understand that a risk assessment is a point-in-time review of a vendor’s technology, people, and processes to identify potential problems.

Department Response

The Department Response is used to document the department's response to the ISO identified risk findings noted in the VRA report. It is the department'sresponsibility to obtain approval of the completed Department Response from the Department Head.  The FOA VRA Team will provide input and clarification in response to requests from departments, but the department owns the risk and responsibility for documentation.

Risk Acceptance

Ultimately, risk acceptance is the responsibility of the Department Head for the group requesting a third-party vendor’s product or service. To inform risk acceptance, department responses are required for all findings and recommendations documented in the VRA report. If a formal Risk Acceptance Request (RAR) is needed, unit's will be asked to review it with the FOA VRA Team and receive approval from the Department Head.

If P3 data, P4 data, or elevated risk are in scope of the RAR, additional approvals may be required from stakeholders (i.e., FOA Business and Technical Unit Information Security Leads (UISL), FOA Division Head) prior to advancing through procurement.

Supply Chain Management (SCM) Approval Form for Software and Related Services

A signed SCM Approval form must be attached to your purchase request upon completion of the VRA Review, which is managed through the ServiceNow request module. Verification of completed department response, including Department Head approval, is required prior to Technical UISL signoff. 

If VRA and department response were completed more than 12 months ago, departments are guided to follow the VRA renewal schedule for contract renewals, which follows the Protection Level classification: P4 - annually; P3 - every 2 years; P2 - optional; P1 - No VRA required to renew. At a minimum, departments are required to update the department response annually with current state of ISO recommendations. Department head approval of updated Department Response is required prior to Technical UISL signoff.

Plan & Prepare

Consider the following as you maintain and manage your technology assets:

  • Be Proactive
    • Inventory existing software used by your department, to help anticipate renewal dates and plan accordingly. 
    • The typical engagement timeline for a VRA can take upwards of 4+ months, depending upon the cooperation of the vendor.
    • If there is an existing VRA, the engagement timeline may be reduced.
    • Existing VRAs that are more than a year old may require updates or reassessment to be conducted.
    • Department responses that are more than a year old require an updated response column for the current year and department head approval.
  • Be Aware
    • Business Partners will not process any purchase request without verification that a risk assessment has been completed.
    • Supply Chain Management will not initiate a PO without the appropriate approvals and signed SCM Approval form.
    • Although the ISO is shifting towards a general approach, VRAs can be use case-specific. Therefore, an existing VRA for a technology purchase you are interested in may require reassessment based on your use case.
    • Prior to making a technology purchase based on pre-existing VRA, departments should review associated recommendations with FOA VRA Team and ISO.
    • Processes continue to evolve in support of the IS-3 policy. While you may have made recent technology purchases without a VRA, those same purchases or renewals will require a completed VRA going forward.