Overview
The Supplier Risk Management program at UC Davis is a multi-step process that involves collaboration among requestors, unit information security leads, Information Security Office, vendors/suppliers and Procurement & Contracting Services. The Vendor Risk Assessment is a step of this program.
About Vendor Risk Assessments (VRA)
A Vendor Risk Assessment (VRA) is required before any individual, unit or department works with an outside vendor that handles university data. The VRA helps protect UC Davis by ensuring vendors meet campus information security standards and by identifying and mitigating potential risks.
When is a VRA required?
VRAs are required under the University of California IS-3 Policy. In the context of this policy, the UC Davis adopted the following campus standard:
A VRA must be completed whenever software, cloud-based services, or digital content are used, purchased, or downloaded in the following situations:
- Products or services hosted on UC Davis systems or in the cloud that involve P3 or P4 level information or systems, or A4 availability level.
- (Recommended) Cloud-hosted products or services that involve P2-level or higher information.
Why is a VRA needed?
The purpose of the VRA is to reduce risk and verify compliance with UC Policy. As technology continues to change, new risks emerge. The IS-3 Policy includes the following (see section 6.1.1):
Units must complete risk assessments for institutional information and IT resources classified at Protection Level 3 (P3) or higher, or use an approved risk treatment plan. Risk assessments must include: cloud and supplier services for institutional information classified at Protection Level 2 (P2) or higher.
Notes:
- IS-3 requires administrative logs, vulnerability management, and emergency and disaster recovery planning for IT resources at Availability Level 4 (A4). The VRA process helps to ensure that these requirements are met.
- The UC Davis campus standard for implementing IS-3 requires a VRA for products or services hosted on UC Davis systems or in the cloud that involve P3 or P4 level information or systems, or A4 availability level. A VRA is recommended for cloud-hosted products or services that involve P2-level data.
VRAs are a point-in-time assessment, revealing threats and vulnerabilities that could adversely affect individuals, your department, and the entire university. When everyone works together to understand the security risks and their potential impacts, we can enhance the security of individual programs, departments, and UC Davis.
VRA In Context
What can cause a delay?
Common factors that may impact the VRA process include:
- Annual request volume fluctuations due to budget and calendar cycles
- Non-disclosure agreements and other vendor-related requirements
- Vendor response turnaround time
After the VRA is completed, contract negotiations may impact procurement timelines.
How can I mitigate any possible delays?
We recommend that you work with your area UISL to gather as much information as possible and expect to facilitate engagement between the VRA team and the vendor as more information may be required.
To be completed by the Requestor and Unit Information Security Lead (UISL)
Step 1: Determine Protection and Availability Levels
The requestor should consult with their Unit Information Security Lead (UISL) to determine the appropriate protection and availability levels for the acquisition. On premise or cloud hosted assets or services featuring P3, P4 and A4 data require a VRA. For cloud-hosted services with P2 data, a VRA is recommended.
Estimated Time: Depends on requestor and UISL
Step 2: Submit a VRA Request in ServiceNow
The requestor should:
- Consult with their UISL to determine the steps required to assess the security posture of the supplier in accordance with the unit’s risk management practices.
- Submit a ServiceNow ticket requesting a VRA if the asset or service is classified as P3, P4, or A4, on premise or in the cloud. For P2 data hosted in the cloud, a VRA is recommended. Some units (e.g., FOA, OSA and OCP) require the requestor to consult with their UISLs before submitting a VRA request.
Estimated Time: Depends on requestor and UISL
To be completed by the Information Security Office (ISO)
Step 3: Conduct the Assessment
Once a request is received, the VRA team will complete the following steps:
- Review the request to ensure the information required to begin the assessment is available.
- Determine whether an assessment for this vendor has been completed.
- Conduct a new assessment or update an old assessment.
Target Estimated Time: 4 weeks
Exceptions apply. A new non-disclosure agreement and/or non-responsiveness from the vendor may extend the estimated time. The VRA team may issue an "Insufficient Information" finding in certain cases.
Step 4: Publish the Report
Access to the report will be provided to the requestor and their UISL once the assessment is completed. If the assessment team identified high-to-significant risks with the vendor, the VRA team lead will request a debriefing with the requestor and their UISL. High-risk VRAs may require additional administrative reviews.
Estimated Time: 3 - 7.5 business days
Risk Acceptance Process (Under Development)
If you cannot complete or obtain an applicable and informative VRA for a vendor and/or urgently need to purchase a product or service and cannot wait for an assessment, you can refer to the Risk Acceptance Process as a last resort. The process is currently under development.
Please consult with the UISL in your area, your ISO liaison, or the ISO for more information.
Procurement Office Contract
Once the assessment is complete, the requestor will likely need to engage with the Procurement Office to work on a contract with the vendor. For more information, contact the UC Davis Procurement & Contract Office.