decorative image - vra process

VRA for New & Renewal Purchases

Action

Description

IT Consultation
(Optional)

Review The VRA process tab for an overview of the steps involved and supporting resources to efficiently navigate the process. Engage your IT support team early to:

  • Discuss the business requirements to find the best technology solution(s)
  • Build awareness of available tools and options
  • Receive input on IT support activity and efforts
  • Manage risks and security requirements
  • Understand Governance Committee engagement and requirements

Interested? Schedule a General Support Session with the FOA VRA Team for guidance

Classify the Business Use Case

Review the UCOP Protection Level Classification Guide for examples of data elements and their classification to determine which level is most suitable for your use case, such as Protection Level 1 (P1), P2, P3 or P4.

For existing tools and contract renewals: 
Units must follow the ISO VRA Guidelines for guidance of VRA renewals, which are leveraged to provide an updated opinion of the vendor's security evaluation. VRA renewals must be followed according to the schedule indicated for the highest Protection Level classification in scope of the business use case:
Renewal Schedule: P4 - Annually; P3 - Every 2 years; P2 - Optional; P1 - Not required

Initiate the VRA

Action: A Unit contact, typically the product owner or program manager, is responsible for submitting an Information Security Office (ISO) VRA request form 

The ISO reviews the use case details and determine if a VRA is necessary. An ISO analyst may contact you to align on specific details of the use case, data classification requirements, and assessment methodology. For a full overview of the process and associated timelines, refer to the VRA Resources tab > Process and Instructions > FOA VRA Process Checklist.

For existing tools and contract renewals:
Include a note on your ISO VRA Request Form with the previous VRA ticket number and any changes to your business use case since the last VRA.

Risk Assessment Types

Is P3 or P4 in scope of the business use case?

If no, the ISO may conduct a light version assessment (Multi-Point Intelligence Search) where the vendor is not contacted. No vendor preparation is needed. Estimated time: 2-4+ weeks.

If yes, the ISO may conduct a full version assessment where the vendor is asked to provide a list of security documentation to review. Contractual considerations including, but not limited to, Appendix Data Security (DS) and the vendor's security plan are required. Vendor preparation is highly recommended to reduce delays. Estimated processing time: 2-3+ months.

  • Prepare the Vendor:
    Use the email template in the FOA VRA Process Checklist (see Appendix A) to prepare your vendor for their participation in the process and awareness of Appendix DS to streamline the contractual negotiations phase, which will be led by UC Davis Procurement (SCM).
Security Evidence Gathering

An ISO analyst will contact the vendor provided in your ISO VRA request form to request their completion of a new security questionnaire (e.g., HECVAT, SIG, CAIQ) or recently completed version, and relevant security documents designed to measure the vendor's security practices and  risks to consider before doing business with them. 

If the vendor becomes unresponsive, the ISO analyst may ask for your help to engage them.

Risk Assessment Report
An ISO risk assessor will review the vendor's security documentation, conduct a Public Information search, and use third-party risk tools to deliver a final report that identifies key risk findings and recommendations about the vendor and product/services in scope of the assessment. 
Report Debriefing
The ISO risk assessor may hold a debriefing of the final report to discuss key points (risks, concerns, and recommendations) and respond to questions about the report or use case.
Department Response

Action: The VRA contact from the unit is responsible for adding responses and taking follow up actions to address the Department Response. Once final responses have been noted on the document, they are responsible for requesting approval from the Unit Head before proceeding with the purchase, renewal, or business engagement.

If the use case is evaluated as high risk, cannot be assessed, or the VRA highlights critical concerns (e.g., recent breach, security incident, lawsuit), a formal Risk Acceptance Request may also be necessary. Consult with the FOA VRA Team for guidance regarding risk acceptance decisions.

Pre-Procurement &
Contractual Considerations

A Supply Chain Management (SCM) Approval form for Software and Related Services is required for most purchases and renewals. The FOA VRA Team works with the Technical UISL on your behalf to obtain their signature when Department Head approval is received. 

Action: If you will be submitting a procurement request, fill-out the form and email it to FOA-VRA-Team@ucdavis.edu with links to the VRA Box folders. Indicate any deadlines or need-by dates and we will verify the state of the VRA and Department Response to confirm all relevant requirements have been satisfied. 
Then, we will work with the Technical UISL on your behalf for their signature and provide the signed form to you.

For P3 or P4 classifications:
Suppliers are required to accept Appendix Data Security (DS) as it establishes baseline protection for the Institution in the event a supplier suffers a security incident or breach, and more.

  • Responsibility for FOA Program Manager or System Owner:
    Prepare the Appendix DS - Exhibit 1 form with all data types and regulations relevant to the product/service and business use case. Reference the VRA Published folder for a PDF copy of your ISO VRA Request form and review the sections for Use CaseData Sensitivity, and Impact Assessment
    For support, contact Zainab Shakoor (Privacy Officer/Campus Counsel) for guidance on the data types and privacy selections.

If HIPAA data is in scope...
A Business Associates Agreement (BAA) may be required. Contact Zainab Shakoor to confirm if a BAA is needed.

Procurement 

Provide all completed forms (e.g., signed SCM Approval Form, Appendix DS Exhibit 1) to your Business Partner, Purchasing Team Contact or Procurement Analyst/Buyer so they can execute the final agreement or purchase order.

Additional Resources: