Demystifying the Vendor Risk Assessment Process

spotlight on a green shield

Demystifying the Vendor Risk Assessment Process

In order to contract with a third-party Vendor (service provider), all University of California units are required under the IS-3 Policy to complete Risk Assessments for institutional information and IT resources. At UC Davis, the Information Security Office (ISO) manages the Vendor Risk Assessment (VRA) program to guide and assist with this process, which can feel daunting, confusing, and frustrating. But what goes into a VRA and why is it so important?  

Risks & Security: A Rapid Evolution 

UC Davis processes continue to evolve to adhere to the IS-3 Policy requirements. As technology continues to change, new risks emerge, thus UC Davis’s approaches to security must evolve as well. While you may have made a recent technology purchase without a VRA, those same purchases or renewals may require one in the future. VRAs are a point-in-time assessment, revealing threats and vulnerabilities that could adversely affect end users, operations, your department, and the entire university. When everyone works together to understand the security risks and their potential impacts, we can enhance the security of individual programs, departments, and UC Davis.  

VRA Pro Tips: 

Because this process can be lengthy, it helps to prepare before you begin. Please consider the following: 

  • Do not wait until the last minute! Submitting a VRA 4-6 months ahead is not too early to make a request for the Vendor and/or Service you need for a planned project. 
  • Involve your requested Vendor in the security questionnaire and documentation request process. Contact a sales representative in advance and let them know the UC Davis Security Office will be reaching out to request security documentation. (Please note—many of the delays units experience with the VRA process are related to obtaining security information from Vendors in a timely manner.)

The following steps are required to keep UC Davis safe and secure when working with third-party Vendors and/or Services. 

Step 1: Classify Your Data 

Depending on which of the four Protection Levels the information collected, stored, processed, and/or transmitted by the requested Vendor and/or Service is categorized into, the ISO will determine whether and what type of VRA may be required. (The ISO recommends doing a Vendor Risk Assessment at least once a year for P4 use cases, once every two years for P3 use cases, and it varies depending on the situation for P2 and P1 use cases.) Click here to learn about how to classify data and find examples of each Protection Level.

 

Step 2: Complete a Vendor Risk Assessment Request  

Once you determine the Protection Level of your data, the next step is to complete a VRA request form. The information included in this request—including your use case, the type of service, impact if a breach occurred, and availability needed—will help the ISO select the most appropriate and efficient approach to assessing the risks that may be associated with using the requested third-party Vendor and/or Service. Click here to access CAS-protected the Vendor Risk Assessment Request form.

 

Step 3: Wait, Watch & Be Ready

The next step requires some patience. A lot will be happening behind the scenes and this process could take months to complete. However, you will be able to see updates by checking your Request Item ticket (RITM). Here is a brief (and simplified) timeline of the process:  

  • The ISO will review the request. In coordination with the Chief Information Security Officer (CISO), they will choose an approach to address the request (not every request will result in a VRA.) 
  • The ISO will gather information, including directly contacting the Vendor and/or Service, for the assessor’s report.  
  • The assigned assessor may follow up with the unit and/or Vendor with additional questions to complete the report.
  • The report is completed and reviewed for grammar, presentation, and content accuracy.
  • The CISO receives batches of reports weekly for review and release.
  • The VRA report is published to the requesting department with CISO’s decision and debriefings are scheduled per the CISO’s guidance. 

 

Step 4: You have your VRA report, what now? 

Your VRA report will be a detailed document that provides a comprehensive evaluation of risk scoring for each Protection Level, along with key findings and actionable recommendations to effectively minimize and mitigate any identified security concerns. Please note—a completed VRA is not an approval to purchase. Advise the ISO if you would like to review the VRA results in collaboration with your Unit Information Security Lead (UISL).  Click here to find your UISL (CAS login required.)  

Learn More about the ISO 

Vendor Risk Assessments are just one (very important) service the ISO performs to keep the UC Davis community secure. The ISO also provides security consulting and education, compliance, and so much more. Click here to learn more about the Information Security Office’s critical role at UC Davis.