VRA for New & Renewal Purchases
Action | Description |
IT Consultation | Review The VRA process tab for an overview of the steps involved and supporting resources to efficiently navigate the process. Engage your IT support team early to:
Interested? Schedule a General Support Session with the FOA VRA Team for guidance |
Classify the Business Use Case | Review the UCOP Protection Level Classification Guide for examples of data elements and their classification to determine which level is most suitable for your use case, such as Protection Level 1 (P1), P2, P3 or P4. For existing tools and contract renewals: |
Initiate the VRA | Action: A Unit contact, typically the product owner or program manager, is responsible for submitting an Information Security Office (ISO) VRA request form The ISO reviews the use case details and determine if a VRA is necessary. An ISO analyst may contact you to align on specific details of the use case, data classification requirements, and assessment methodology. For a full overview of the process and associated timelines, refer to the VRA Resources tab > Process and Instructions > FOA VRA Process Checklist. For existing tools and contract renewals: |
Risk Assessment Types | Is P3 or P4 in scope of the business use case? If no, the ISO may conduct a light version assessment (Multi-Point Intelligence Search) where the vendor is not contacted. No vendor preparation is needed. Estimated time: 2-4+ weeks. If yes, the ISO may conduct a full version assessment where the vendor is asked to provide a list of security documentation to review. Contractual considerations including, but not limited to, Appendix Data Security (DS) and the vendor's security plan are required. Vendor preparation is highly recommended to reduce delays. Estimated processing time: 2-3+ months.
|
Security Evidence Gathering | An ISO analyst will contact the vendor provided in your ISO VRA request form to request their completion of a new security questionnaire (e.g., HECVAT, SIG, CAIQ) or recently completed version, and relevant security documents designed to measure the vendor's security practices and risks to consider before doing business with them. If the vendor becomes unresponsive, the ISO analyst may ask for your help to engage them. |
Risk Assessment Report | An ISO risk assessor will review the vendor's security documentation, conduct a Public Information search, and use third-party risk tools to deliver a final report that identifies key risk findings and recommendations about the vendor and product/services in scope of the assessment. |
Report Debriefing | The ISO risk assessor may hold a debriefing of the final report to discuss key points (risks, concerns, and recommendations) and respond to questions about the report or use case. |
Department Response | Action: The VRA contact from the unit is responsible for adding responses and taking follow up actions to address the Department Response. Once final responses have been noted on the document, they are responsible for requesting approval from the Unit Head before proceeding with the purchase, renewal, or business engagement. If the use case is evaluated as high risk, cannot be assessed, or the VRA highlights critical concerns (e.g., recent breach, security incident, lawsuit), a formal Risk Acceptance Request may also be necessary. Consult with the FOA VRA Team for guidance regarding risk acceptance decisions. |
Pre-Procurement & | A Supply Chain Management (SCM) Approval form for Software and Related Services is required for most purchases and renewals. The FOA VRA Team works with the Technical UISL on your behalf to obtain their signature when Department Head approval is received. Action: If you will be submitting a procurement request, fill-out the form and email it to FOA-VRA-Team@ucdavis.edu with links to the VRA Box folders. Indicate any deadlines or need-by dates and we will verify the state of the VRA and Department Response to confirm all relevant requirements have been satisfied. For P3 or P4 classifications:
If HIPAA data is in scope... |
Procurement | Provide all completed forms (e.g., signed SCM Approval Form, Appendix DS Exhibit 1) to your Business Partner, Purchasing Team Contact or Procurement Analyst/Buyer so they can execute the final agreement or purchase order. Additional Resources:
|