Vendor Risk Assessment for FOA Units


A Vendor Risk Assessment (VRA) helps your department understand the risk associated with using a third-party vendor’s product or service. While the importance of monitoring and managing UC Davis’ internal cybersecurity posture is commonly understood, it is equally essential to identify your vendors’ potential vulnerabilities and treat them as our own.

The UCOP IS-3 policy formalizes the requirement that a risk assessment be completed when contracting for a third-party provided service that will handle UC Davis information, or otherwise potentially impact the security of UC Davis. The minimum requirement as it relates to contracting for third-party provided services calls for risk assessments of Cloud and Supplier services for Institutional Information classified at Protection Level 2 or higher.

In addition to receiving a conforming opinion from the security analyst and risk acceptance from the department head, the University of California Office of the President (UCOP) requires the inclusion of the Data Security and Privacy Appendix for all UC contracts involving third-party access to covered data.  The appendix establishes baseline protection for the university in the event of a data breach. Campus units that engage with service providers to handle covered data must ensure the appendix is included in new contracts.

If you are planning to acquire or renew services that will collect, store, process and/or transmit P2 or higher data, and need technical assistance or support in working through the process, AdminIT is available to help navigate the VRA steps and with efforts to understand and comply with UC IS-3 policy. Departments are encouraged to be proactive and engage as early as possible considering the VRA process may take up to 4 months.




IT Consultation

Engage with your IT support team or email early to discuss business need and benefits of proposed technology. Build awareness of alternate tools and options that may be available. Receive input on IT support activity and effort. Understand Governance Committee engagement and requirements. Review VRA process and information needed to efficiently navigate steps.

Vendor Risk Assessment (VRA) Request

Two step process starting with an initial Vendor Risk Assessment request which initiates a preliminary Information Security Office (ISO) review. ISO will then follow with a detailed Context Questionnaire (CQ). The CQ collects information about the intended use of the proposed service, data types involved, and other pertinent information to help determine whether a full risk assessment is needed.   

It is common practice to schedule a session with ISO analyst to review the context questionnaire to ensure common understanding of use case, data classification, and assessment methodology.

Security Questionnaire and Documentation Request

Once approved to proceed, the ISO analyst will send a request to the vendor contact for completion of a standardized security questionnaire designed to measure vendor risk. The analyst will also request relevant security documentation and research publicly available information to support assessment.

For data classifications up to P2, the department may request a Unit-Led VRA be conducted. If approved by ISO, an authorized AdminIT representative may conduct the VRA. The AdminIT analyst will initiate security information requests to the vendor similar to those expected by ISO analyst and will directly consult with ISO on any concerns or questions.

Assessment and Report

The assigned analyst (ISO or AdminIT) will review collected security documentation in the context of identified use case and evaluate the vendor’s ability to protect the confidentiality, integrity, and availability of institutional information and assets. The final deliverable will be a risk assessment report including findings, recommendations on how to improve overall security and compliance, and opinion on risk in light of other security controls and mitigating factors.

It is important to understand that a risk assessment is a point-in-time review of a vendor’s technology, people and processes to identify potential problems.

Department Response

Ultimately, risk acceptance is the responsibility of the department head for the group requesting third-party vendor’s product or service. To inform risk acceptance, department responses are required for all findings and recommendations documented in the VRA report. Additionally, departments may be required to complete a formal Risk Acceptance Request and review with the FOA Business and Technical Unit Information Security Leads prior to advancing through procurement process.

Plan & Prepare

Consider the following as you maintain and manage your technology assets:

  • Be Proactive
    • Inventory existing software used by your department, to help anticipate renewal dates and plan accordingly. 
    • The typical engagement timeline for a VRA is up to 4 months, depending upon the cooperation of the vendor.
    • If there is an existing VRA, the engagement timeline may be reduced.
    • Existing VRAs that are more than a year old may require update or reassessment be conducted.
  • Be Aware
    • Business Partners will not process any purchase request without verification that a risk assessment has been completed.
    • Supply Chain Management will not initiate a PO without the appropriate approvals.
    • VRAs are use case specific. Therefore, an existing VRA for a technology purchase you are interested in may require reassessment based on your use case.
    • Prior to making a technology purchase based on pre-existing VRA, departments should review associated recommendations with ISO.
    • Processes continue to mature in support of the IS-3 policy. While you may have made recent technology purchases without a VRA, those same purchases or renewals will require a VRA going forward.