decorative image of tech illustrations

Vendor Risk Assessments for FOA Units

Vendor Risk Assessments for FOA Units

In today’s interconnected landscape, Vendor Risk Assessments play a critical role in protecting an organization’s data, operations, and reputation from security risks related to information security and third-party partnerships.


Overview

A Vendor Risk Assessments (VRA) is a thorough review of a vendor's (supplier) security practices and organizational maturity. Think of it like a detailed health report that points out any weak spots or dangers in how they protect information and operate their business. The review is conducted by the Information Security Office (ISO) and the key findings are summarized into a comprehensive report that highlights potential concerns, threats and vulnerabilities that could negatively impact university information, operations, or reputation. Then, you as the potential customer decide if you want to do business with the vendor based on the outcomes of the VRA and stakeholder authorization.

Scope: Third-party (vendor) software and related services (e.g., hardware and professional services) for use with any of the following:

  • Institutional Information (e.g., names, email address, financial records, sensitive information of UC Davis affiliates)
  • Institutional IT resources (e.g., computers, servers, networks)
  • To facilitate administrative and campus programs
Responsibility for FOA Units

The VRA process must be initiated by the program manager or system owner (department contact) within the Unit (Department) that is procuring services from a third-party supplier. In addition to initiating the VRA, the department contact is responsible for:

  • Risk Remediation (e.g., manage, mitigate, or eliminate identified risks)
  • Ensuring contractual requirements are upheld (e.g., IS-3 policy, UCOP, IT governance)
  • Receiving stakeholder input (e.g., UISLs, IT Team, FOA VRA Team, Division Head) and Unit Head approval for risk acceptance decisions
Procurement & Contractual Considerations

A VRA is required prior to using and procuring the product or service with Supply Chain Management. Since the full process can take upwards of 4 months, we strongly encourage you to initiate the VRA in advance of 4-6 months from your need-by date (implementation or annual renewal). 

  • Other Contractual Considerations
  • If Protection Level 3 (P3) or P4 are in scope of the business use case:

    Based on IS-3 requirements, the supplier must accept Appendix Data Security (DS) for these types of UC agreements and supplier engagements. Appendix DS establishes baseline protection for the Institution in the event a supplier suffers a security incident or breach, and more.

    Share this requirement with your suppliers ahead of time to help streamline the contractual negotiations phase. Refer to the VRA for New & Renewal Purchases page for an overview of the VRA Process and an email template you can use for this purpose.

    Responsibility for Program Managers and System Owners:

    Prepare the Appendix DS - Exhibit 1 form with the relevant data types and regulations associated with the business use case. To complete this form, refer to your ISO VRA Request form and the sections labeled Use CaseData Sensitivity, and Impact Assessment to make the same selections. 
    For guidance on data types and privacy selections, contact Zainab Shakoor (Privacy Officer/Campus Counsel). 

    Provide the completed form to your Business Partner, Purchasing Team contact, or Procurement Analyst/Buyer so they can attach it to the purchase order or agreement.

  • UC Policy (IS-3) Requirement
  • The University of California, Office of the President (UCOP) Information Security Policy (IS-3) requires UC locations and units to walk through the VRA process before engaging with suppliers. This critical step helps guide the allocation of resources through risk-evaluation and cost-benefit analysis that is based on approved risk management decisions.

    Refer to the VRA Resources > Policy & Guidelines for a link to the IS-3 policy (pages 1 and 5) for a description of Institutional Information and IT resources.
  • VRA Process

  • The ISO manages the campus VRA program. Upon review of your VRA request form, the Chief Information Security Officer (CISO) determines if a VRA is necessary. If necessary, a skilled security analyst engages the vendor to obtain relevant security and compliance documentation to identify potential weaknesses in their organization and IT solution(s).

    The final outcome is comprehensive report with risk scoring for each data classification level assessed, key findings, and actionable recommendations to effectively minimize the security concerns identified.


Explore our Menu for resources to help guide you in the VRA process.