VRA for New & Renewal Purchases
Action | Description |
IT Consultation | Review the FOA VRA Process Checklist for context of the steps involved and supporting resources to efficiently navigate the process from initial interest to purchasing.
|
Classify the Business Use Case | Review the UCOP Protection Level Classification Guide for examples of data elements and their classification to determine which level is most suitable for your use case, such as Protection Level 1 (P1), P2, P3 or P4. For existing tools and contract renewals: |
Initiate the VRA | Action: A Unit contact, typically the product owner or program manager, is responsible for submitting an Information Security Office (ISO) VRA request form The ISO reviews the use case details and determine if a VRA is necessary. An ISO analyst may contact you to align on specific details of the use case, data classification requirements, and assessment methodology. For a full overview of the process and associated timelines, refer to the VRA Resources tab > Process and Instructions > FOA VRA Process Checklist. For existing tools and contract renewals: |
Risk Assessment Types | Is P3 or P4 in scope of the business use case? If yes, the ISO will likely conduct a full assessment where the vendor is asked to provide a list of security documentation and compliance artifacts. The department contact is highly encouraged to prepare the vendor for the ISO's inquiry to gather security information to help reduce wait times.
If no, the ISO may conduct a light version assessment (Multi-Point Intelligence Search) where the vendor is not contacted. No vendor preparation is needed. |
Security Evidence Gathering | An ISO analyst will contact the vendor provided in your ISO VRA request form to request their completion of a new security questionnaire (e.g., HECVAT, SIG, CAIQ) or recently completed version, and relevant security documents designed to measure the vendor's security practices and risks to consider before doing business with them. If the vendor becomes unresponsive, the ISO analyst may ask for your help to engage them. |
Risk Assessment Report | An ISO risk assessor will review the vendor's security documentation, conduct a Public Information search, and use third-party risk tools to deliver a final report that identifies key risk findings and recommendations about the vendor and product/services in scope of the assessment. |
Report Debriefing | The ISO risk assessor may hold a debriefing of the final report to discuss key points (risks, concerns, and recommendations) and respond to questions about the report or use case. |
Department Response | Action: The department contact is responsible for adding responses and taking follow up actions to address the Department Response. Once final responses have been noted on the document, they are responsible for requesting approval from the Unit Head before proceeding with the purchase, renewal, or business engagement. Risk Acceptance: |
Pre-Procurement & | A Supply Chain Management (SCM) Approval form for Software and Related Services is required for most purchases and renewals of IT products and services. Once the Unit Head's approval has been confirmed, our team works with the Technical UISL on your behalf to obtain their signature on the form. For P3 or P4 classifications:
If HIPAA data is in scope... |
Procurement | Provide all completed forms (e.g., signed SCM Approval Form, Appendix DS Exhibit 1) to your Business Partner, Purchasing Team Contact or Procurement Analyst/Buyer so they can finalize the purchase agreement or order. Additional Resources:
|