Vendor Risk Assessment for FOA Units

Vendor Risk Assessments

Overview

Vendor Risk Assessments (VRA) are a point in time assessment used to evaluate a third-party supplier's security posture, identifying Identification of threats and vulnerabilities that could adversely affect end users, operations, Institutional Information or IT Resources for your department's consideration prior to procuring third-party IT solutions. When security risks and their potential for business impact are understood, it can greatly enhance the security of your program and UC Davis overall.

Scope & UC Policy (IS-3) Requirement

Scope: Software and related services (SaaS solutions), Hardware and Cloud Services

The University of California, Office of the President (UCOP) Information Security Policy (IS-3) mandates that all units must perform a risk assessment before engaging third-party suppliers (vendors) who will collect, store, process, or receive access to Institutional Information and/or IT Resources. IS-3’s risk-based approach guides the allocation of resources by evaluating risk and assessing the cost and benefit of risk management. The policy provides a description of Institutional Information and IT resources, specifically on pages 1 and 5.

Within FOA, it is the obligation of the Unit/Department (as illustrated in the Organizational chart) procuring services from a Supplier to initiate the VRA process with the Information Security Office (ISO) and to execute risk mitigation measures in accordance with the standards outlined by the IS-3 policy, ISO recommendations and IT governance (FOA Stakeholders, UISLs, Unit/Division Head).

VRA Process

The ISO and Chief Information Security Officer (CISO) manage the campus VRA program, including conducting the risk assessments and facilitating debriefings of the final VRA reports when needed. A skilled security analyst engages the vendor to obtain relevant security and compliance documentation to identify security weaknesses in their organization and IT solution(s). The final outcome is a detailed report that provides a comprehensive evaluation of risk scoring for each UCOP Protection Level assessed, along with key findings and actionable recommendations to effectively minimize and mitigate any identified security concerns.

Procurement & Contractual Considerations

An initial VRA is required prior to procuring IT solutions and entering the procurement stage with Supply Chain Management, Since the full process can take upwards of 4 months to walk forward, we strongly encourage you to initiate the VRA in advance of 4-6 months from your need-by date.

Appendix DS establishes baseline protection for the Institution in the event a vendor suffers a security incident or breach. When Protection Level 3 (P3) and P4 data are in scope of the business use case, IS-3 requires supplier's to accept Appendix Data Security (DS) for UC agreements and purchase orders. Share the Appendix DS link and requirement details with your vendors in advance to help streamline the contractual negotiations phase that is overseen by Supply Chain Management.

Process Overview

Action	Description
IT Consultation	Engage with your IT support team early to discuss the business needs and benefits of the proposed technology and to: Build awareness of available alternative tools and options Receive input on IT support activity and efforts Understand Governance Committee engagement and requirements Review the VRA process and supporting resources to efficiently navigate steps. Need help? Schedule a General Support Session with the FOA VRA Team for guidance
VRA Request	The VRA process begins with submitting a Vendor Risk Assessment request form. The ISO will review the use case and data elements in scope of the request to determine if a VRA is needed. It is common practice to be contacted by an ISO analyst to review the VRA request to ensure a common understanding of the business use case, data classification requirements, and assessment methodology. For a full overview of the process entailed and associated timelines, see Resources > FOA VRA Process Checklist
Prepare the Vendor for Appendix DS	Is sensitive data (P3 or P4) is in scope of the business use case? Refer to the UCOP Protection Level Classification Guide to determine if P3 or P4 data classifications are required. If yes, Appendix DS is required. To avoid unwanted delays during the contractual negotiations phase, share the Appendix Data Security link and requirement details with your vendors by email so their Legal Team can review it for questions or red-lines, and ask for their preliminary decision to accept the terms. If the vendor has previously accepted Appendix DS, ask if they will agree to reaccept the terms during the renewal. For an email template you can use to prepare the vendor, see Resources > FOA VRA Process Checklist > Appendix A.
Security Questionnaire and Documentation Request	The ISO analyst will engage the vendor contact provided in your VRA request for their completion of a standardized security questionnaire and to provide relevant security documentation designed to measure vendor risk. Prepare your vendors for this outreach to gauge their participation efforts and to reduce the ISO's VRA processing delays.
Risk Assessment and Report	The assigned ISO analyst will review the vendor's security documentation, conduct a Public Information search and use third-party risk tools to inform their opinion and deliver a final report identifying key findings and recommendations. It is common for the risk analyst to hold a debriefing of the final report to address key points and respond to any questions.
Department Response	Requestors must complete a Department Response and receive approval from the Unit/Department Head in order to proceed with procuring (purchasing or renewing) said software and related services. If the vendor is evaluated as high risk or cannot be assessed, the requestor may need to formalize a Risk Acceptance Request (see process below) in addition to completing the Department Response prior to proceeding with the associated procurement process. Consult with the FOA VRA Team for guidance as to when Risk Acceptance is applicable.
Risk Acceptance Request (RAR)	Based on the residual risk identified in the VRA report and completed Department Response, risk acceptance may be needed prior to procurement If the residual risk is deemed significant and above the organization's risk tolerance level. Ultimately, risk acceptance is the authorized by the Unit/Department Head and/or Division Head (Vice Chancellor). Consult with the FOA VRA Team for guidance on how to proceed through the formal process.
Supply Chain Management (SCM) Approval Form for Software and Related Services	A signed SCM Approval form must be included with purchase requests or provided to Procurement (SCM) in order to purchase software and related services. The FOA VRA Team completes a quick VRA Review to verify the state of the VRA and Department Response and confirms all applicable VRA requirements have been satisfied prior to the Technical UISL's signoff on the form. Note: For annual purchases or contract renewals, departments must follow the ISO VRA Guidelines for submitting VRA renewals according to the highest Protection Level classification in scope of the business use case: P4 - Annually; P3 - Every 2 years; P2 - Optional; P1 - Not required

Plan & Prepare

Consider the following as you maintain and manage your technology assets:

Be Proactive
- Inventory existing software used by your department to help anticipate renewal dates and plan accordingly.
- Engage your vendors for their participation in the security questionnaire and documentation request. When P3 or P4 data are in scope, prepare them for the Appendix DS terms and UC contract negotiations phase.
- If there is an existing VRA, the engagement timeline may be reduced.
- If the VRA Renewal is not completed in time for the renewal, Department Responses that are more than a year old may require an updated response column for the current year and Department Dead approval.
Be Aware
- Business Partners will not process any purchase request without verification that a risk assessment has been completed.
- Supply Chain Management will not initiate a PO/PA without the appropriate approvals and signed SCM Approval form.
- Although the ISO is shifting towards a general approach, VRAs can be use case specific. Therefore, an existing VRA for a technology purchase you are interested in may require reassessment based on your use case.
- Prior to making a technology purchase based on pre-existing VRA, departments should review associated recommendations with FOA VRA Team and ISO.
- Processes continue to evolve in support of the IS-3 policy. While you may have made recent technology purchases without a VRA, those same purchases or renewals will require a completed VRA going forward.

Schedule a Support Session with the FOA VRA Team

Resources

Process and Instructions

Forms

ISO Vendor Risk Assessment (VRA) Request Form
FOA VRA Team Support Request Form
FOA Risk Acceptance Request Form (coming soon)
Software Related Services Approval Form

Policy and Process

Data Classification

Classification Guide: Availability Levels for Institutional Information and IT Resources
Classification Guide: Protection Levels for Institutional Information and IT Resources
UC Data Classification Guides: Data Classification Guide (UCD), Data Classification Guide (UCI), Data Classification Guide (UCSF)
Data Sensitivity Guide
Personal Information (California Code) and/or Personally Identifiable Information (PII) (formerly PII High Level)
Personally Identifiable Information (PII) and Personal Data as defined in GDPR (formerly PII Moderate Level)
UC directory (faculty, staff and students who have not requested a FERPA block) (formerly PII Low Level)
Protected Data

Tools

The VRA Process

View larger image

Download this chart

FOA Security Roles

As IS-3 states, security is a shared responsibility. The policy defines specific roles and responsibilities for each Unit, Unit Head, Unit Information Security Lead (UISL), Service Provider and Supplier. In order to facilitate its Information Security Management Program, FOA has assigned specific security roles within the organization, as follows:

Unit Head

Clare Shinnerl, Vice Chancellor – Finance, Operations and Administration (FOA)

Unit Information Security Leads (UISLs)

Radhika Prabhu, FOA Technical UISL

Blair Stephenson, FOA Business UISL

Department Heads

Allen Tollefson, Associate Vice Chancellor – Facilities Management (FM)

Blair Stephenson, Chief Operating Officer and Assistant Vice Chancellor – University Resources (UR)

Eric Kvigne, Associate Vice Chancellor – Safety Services (SS)

Jim Carroll, Associate Vice Chancellor – Design and Construction Management (DCM)

Joseph Farrow, Chief of Police - Police

Tammy Kenber, Chief Human Resources Officer - Human Resources (HR)

Laurie Brignolo, Executive Director - Animal Care and Research Program

Lucas Griffith, interim Assistant Vice Chancellor – Campus Planning and Environmental Stewardship (CPES)

Matt Okamoto, Campus Controller - Finance

Nathan Trauernicht, Fire Chief - Fire

Radhika Prabhu, Assistant Vice Chancellor – Business Transformation and Technology (BTT)

Sarah Mangum, Assistant Vice Chancellor - Budget Director – Budget and Institutional Analysis (BIA)

Unit IT Recovery Leads

Ken Ezeh, IT Services & Security Director – Administrative IT

Vendor Risk Assessment Leads (Administrative IT)

Michael Cole, Project Management and Business Integration Manager - VRA Team Lead

Naomi Rosario, Vendor Risk Analyst and Coordinator - IT Lead, VRA Team Lead

FAQs

What is a "third-party service provider"?
A "vendor" or "third-party service provider" is an entity (e.g., a person or a company), separate from the university, that offers something for sale. The typical types of vendor services that require an ISO vendor risk assessment are technologies used to store, process, and/or transport protected data on behalf of the university, such as:

• Software as a Service (SaaS) providers - companies that provide hosted application services (e.g., Gmail, Calendly, Box)

• Infrastructure as a Service (IaaS) providers - companies that provide hosted data storage or processing services (e.g., Amazon AWS, Microsoft Azure)

These types of vendors are required to meet the campus policy standards for the protection level classification of protected data that is required for applications and services that are managed by internal campus IT resources.
What is the purpose of the Vendor Risk Assessment Service?
The Vendor Risk Assessment (VRA) Service is intended to ensure that service providers who handle university data meet campus security policy requirements. This is primarily achieved in two ways:

• By evaluating the vendor's security controls in comparison to campus policy.

• Ensuring that the UCOP Data Security & Privacy Appendix is included in the vendor contract to provide baseline protection for the university in the event of a data breach.
Are vendor services available that have already been approved?
Review the information on the Vendor Risk Assessment page to identify vendors that have a Vendor Risk Assessment in place (or in process) and the level of data for which the assessment is valid. Contact the Information Security Office (ISO) at cybersecurity@ucdavis.edu for guidance before proceeding with purchase request based on existing VRA.
I already have a completed Vendor Risk Assessment, why do I need to request another VRA for the same product?
While other circumstances may apply, the two most common drivers for renewing an existing VRA include:

• Vendor Risk Assessments (VRAs) reflect a point-in-time analysis of a Vendor's security program. The further your current purchase request is from the date the last VRA was conducted, there is a greater potential the Vendor's security posture has changed leading to the possibility that your data is at increased risk. A comprehensive risk management strategy requires understanding of Vendor's current security practices.

• The current use case is materially different than the use case considered in the existing VRA. The context of the VRA is a significant factor in the assessment process. If the context significantly changes, then guidance and recommendations may also need update for effective risk mitigation.
How do I know if product or service is subject to IS-3 risk assessment policy?
The minimum requirement as it relates to contracting for third-party provided services calls for risk assessments of Cloud and Supplier services for Institutional Information classified at Protection Level 2 or higher. If you are uncertain whether a planned IT purchase is subject to IS-3 risk assessment policy contact FOA-VRA-Team@ucdavis.edu for assistance.
How do I know if my data is sensitive?
Sensitive data is any data that you would not want to be shared with general public. Sensitive data could be financial information (e.g., credit card information, bank account information), Business information (e.g., accounting data, trade secrets, business plans, financial statements) or personal data (e.g., addresses, medical history, driver license numbers, phone numbers). If your data is related to student information, it could be subject to FERPA regulations.

• https://iet.ucdavis.edu/security/uc-davis-data-classification-guide

• https://cloud.ucdavis.edu/about-data-sensitivity-guide-questionnaire
Who needs to be involved in a vendor risk assessment?

The roles that are typically involved in participating with a vendor risk assessment include the following:

Resource Owner or Proprietor	Campus unit representative who has overall responsibility for the application (e.g., budgeting and resource allocation).
Implementation Project Manager	Unit member responsible for the roll-out of the application or service, including (but not limited to) vendor selection, contract specifications, configuration, process-flow design, personnel training, etc.
UC Buyer	Representative in the UC Davis Procurement department responsible for the vendor contract negotiation.
Vendor Representative	Vendor contact responsible for completing the security questionnaire. Ideally, this person is a member of vendor security group or affiliated with the IT department and is knowledgeable regarding the vendor's security framework. Often times, the person in this role is a Sales or Customer Support Representative who facilitates communication between the vendor's IT staff and the ISO Assessor.
ISO Assessor	A member of the ISO analyst team assigned as the primary assessor responsible for the engagement with the unit.

How do I get started?
Contact your IT support representative or email FOA-VRA-Team@ucdavis.edu for guidance on process and initiating a vendor security assessment with the Information Security Office.
Reference the FOA VRA Process Checklist for a full overview of the VRA process.
Assistive Technology: How do I request and obtain software for accessibility and assistive related needs? Do I need to complete the VRA process?
The Client Services division of Admin IT manages the desktop install and licensing for FOA staff who need Assistive / Accessibility Technology, such as from Trello or Otter.AI and other solutions. To submit your request, fill-out the Client Services Software Purchase request form.
Individuals are not required to undertake the VRA process themselves, instead, the FOA VRA Team manages the process and coordinates with Client Services for the VRA Review and SCM Approval form needed to support the staff member's request(s).

Vendor Risk Assessments

Overview

Scope & UC Policy (IS-3) Requirement

VRA Process

Procurement & Contractual Considerations

Process Overview

Action

Description

IT Consultation

VRA Request

Prepare the Vendor for Appendix DS

Security Questionnaire and Documentation Request

Risk Assessment and Report

Department Response

Risk Acceptance Request (RAR)

Supply Chain Management (SCM) Approval Form for Software and Related Services

Plan & Prepare