Frequently Asked Questions

Frequently Asked Questions

  • What is the purpose of the Vendor Risk Assessment?

  • The Vendor Risk Assessment (VRA) is intended to ensure that service providers who handle university data meet campus security policy requirements.  This is primarily achieved in two ways:
    • By evaluating the vendor's security controls in comparison to campus policy.

    • Ensuring that the UCOP Appendix Data Security is included in the vendor contract to provide baseline protection for the university in the event of a third-party data breach. 

  • What is a "third-party service provider"?

  • Also known as a "vendor" or "supplier" is an entity (e.g., a person or a company), separate from the university, that offers technology services or products that can be used to store, process, and transport institutional information on behalf of the university, such as:
       • Software as a Service (SaaS) providers - companies that provide hosted application services (e.g., DocuSign, Calendly, Box) 

       • Infrastructure as a Service (IaaS) providers - companies that provide hosted data storage or processing services (e.g., Amazon AWS, Microsoft Azure)

    Hardware - companies that provide hardware that connects to UC networks, systems, infrastructure, or manage UC programs (e.g., Parking meters, network routers, control or monitoring meter)

    These types of vendors are required to meet the campus policy standards for the protection level classification of protected data that is required for applications and services that are managed by internal campus IT resources.

  • How do I know if product or service is subject to IS-3 Risk Assessment?
  • Risk assessments apply to Cloud-hosted and Supplier-provided product and services that will be used with Institutional Information classified at Protection Level 2 or higher and/or Institutional technology resources. 
    If you are uncertain whether a planned IT purchase is subject to IS-3 risk assessment policy, contact FOA-VRA-Team@ucdavis.edu for assistance.
  • Are there available products and services that have already been vetted by the VRA?
  • Yes. Contact the FOA VRA Team (foa-vra-team@ucdavis.edu to inquire about the FOA and campus VRA catalog. Alternatively, you can schedule a General Support Session to inquire with our team.
  • How do I get started?
  • Contact your IT support representative or email FOA-VRA-Team@ucdavis.edu for guidance on process and initiating a vendor security assessment with the Information Security Office. 
    Reference the Resources section for the FOA VRA Process Checklist for a full overview of the VRA process.
  • Who needs to be involved in a VRA?

  • The roles that are typically involved in participating with a vendor risk assessment include the following:

    Primary ContactDepartment contact who is responsible for administering the product, service, or UC program.
    Implementation Team or Project ManagerUnit member responsible for the roll-out of the application or service, including (but not limited to) vendor selection, contract specifications, configuration, process-flow design, personnel training, etc.
    UC BuyerAn individual in UC Davis Procurement who is responsible for the vendor contract negotiation.
    Vendor RepresentativeContact responsible for providing company security documentation to inform the VRA.  Ideally, this person is a member of vendor security group or affiliated with the IT department and is knowledgeable regarding the vendor's security framework.  Often times, the person in this role is a Sales or Customer Support representative who facilitates communication between the vendor's IT staff and the ISO Risk Assessor.
    ISO Risk AssessorThe Information Security Office (ISO) contact responsible for conducting the VRA and engaging with the unit to understand their business use case for the technology.
  • I already have a completed VRA, why do I need to request another VRA for the same product?

  • While other circumstances may apply, the two most common drivers for renewing an existing VRA include: 

    • VRAs are a point-in-time analysis of a Vendor's security standing. If the last VRA was completed more than two years prior, there is a chance that your Vendor's security posture has changed and additional risk mitigations or contractual requirements may be necessary to ensure safe, continued use of product/service.

    • The current use case is materially different than from the previous VRA. The context of the VRA is a significant factor in the assessment process. If the context significantly changes, then guidance and recommendations may also need update for effective risk mitigation.

    VRA Renewal Cycle: P4 Annually | P3 Every two years | P2 Optional | P1 Not Required

  • How do I know if my information (data) is sensitive?

  • Sensitive data is any data that you would not want to be shared with general public (e.g., credit card information, bank account information, social security number, confident information), Business information (e.g., accounting data, trade secrets, business plans, financial statements) or personal data (e.g., addresses, medical history, driver license numbers, phone numbers). If your data is related to student information, it could be subject to FERPA regulations.

    Visit VRA Resources > Data Classification Guides for examples of data types and their classification.

  • Assistive Technology: How do I request and obtain software for accessibility and assistive related needs? Do I need to complete the VRA process?
  • The Client Services division of Admin IT manages the desktop install and licensing for FOA staff who need Assistive / Accessibility Technology, such as from Trello or Otter.AI and other solutions. To submit your request, fill-out the Client Services Software Purchase request form

    Individuals are not required to undertake the VRA process themselves, instead, the FOA VRA Team manages the process and coordinates with Client Services for the VRA Review and SCM Approval form needed to fulfill the staff request.
  • What is Risk Acceptance?
  • Risk acceptance is a documented summary of the VRA outcomes and a decision to accept risk associated with a vendor that is above the comfort level or risk tolerance of the unit responsible for managing the product or service. The document must be reviewed and approved by the Unit Information Security Leads (UISLs), Unit Head, and sometimes the Division Head. 

    Common justifications for risk acceptance:
    No Appendix DS for a P3 or P4 classified product or service, vendor security incident or deficiency, ISO could not assess the vendor, other gaps that could impact the university or its service offerings.