Vendor Risk Assessments
In today's interconnected environment, Vendor Risk Assessments (VRAs) are crucial for safeguarding an organization's data, operations, and reputation from the security risks associated with partnering with
third-party companies.
Overview
A VRA is a thorough review of a vendor's (supplier) security practices and organizational maturity Think of it like a detailed health report that points out any weak spots or dangers in how they protect information and operate their business. The review is conducted by the Information Security Office (ISO) and the key findings are summarized into a comprehensive report that highlights potential concerns, threats and vulnerabilities that could negatively impact customers of the service, university operations or IT resources, or the university's reputation. Then you as the potential customer decide whether you want to do business with the vendor based on the outcomes of the VRA and stakeholder authorization.
Scope: Any vendor software and related services, including hardware and professional services, for use with any of the following:
- Institutional Information (e.g., names, email address, financial records, sensitive information, etc.)
- IT resources (e.g., computers, servers, networks. etc.).
- Facilitate administrative or campus programs
Responsibility for FOA Units
The VRA process must be initiated by the program manager or system owner (data proprietor) within the Unit/Department that is procuring services from a supplier. In addition to commissioning the VRA, the data proprietor is responsible for:
- Risk Remediation (manage, mitigate, or eliminate identified risks)
- Ensuring the appropriate contractual measures are taken according to the IS-3 standards, ISO recommendations and IT governance
- Consulting with unit stakeholders (e.g., Department Head, UISLs, IT Team, FOA VRA Team, Division Head) regarding any risk acceptance decisions
Procurement & Contractual Considerations
A VRA is required prior to procuring IT solutions and entering the procurement stage with Supply Chain Management, Since the full process can take upwards of 4 months, we strongly encourage you to initiate the VRA in advance of 4-6 months from your need-by date.
- Other Contractual Considerations
-
Does the data or use case require Protection Level 3 (P3) and/or P4 classification?
If sensitive data or use cases involving Protection Level 3 (P3) and/or P4 classification, IS-3 requires the supplier to accept Appendix Data Security (DS) for UC agreements and purchase orders. Appendix DS establishes baseline protection for the Institution in the event a supplier suffers a security incident or breach.
Share this requirement with your suppliers ahead of time to help streamline the contractual negotiations phase. Refer to the Resources tab for the FOA VRA Process Overview for an email template you can use for this purpose.
Responsibility for FOA Program Manager or System Owner
Prepare the Appendix DS - Exhibit 1 form with all data types and regulations that are in scope of the product/service and business use case. To complete this form, refer to your ISO VRA Request form and selections made for the sections labeled Use Case, Data Sensitivity, and Impact Assessment. For support, please contact Zainab Shakoor (Privacy Officer/Campus Counsel) for guidance on the data types and privacy selections.
Provide the completed form to your Business Partner, Purchasing Team Contact or Procurement Analyst/Buyer so they can attach it to the final agreement or purchase order.
- UC Policy (IS-3) Requirement
-
The University of California, Office of the President (UCOP) Information Security Policy (IS-3) requires all units to commission a VRA before engaging with suppliers. This critical step helps guide the allocation of resources through risk-evaluation and cost-benefit analysis that is based on approved risk management decisions.
Refer to IS-3 pages 1 and 5 for a description of Institutional Information and IT resources. - VRA Process
-
The Information Security Office (ISO) manages the campus VRA program. Upon review of your VRA request, a skilled security analyst engages the vendor to obtain relevant security and compliance documentation to identify potential weaknesses in their organization and IT solution(s).
The final outcome is comprehensive report with risk scoring for each data classification level assessed, along with key findings and actionable recommendations to effectively minimize the security concerns identified.