As part of National Cybersecurity Awareness Month, UC Davis Information and Educational Technology (IET) is highlighting four important topics related to cybersecurity each week of October 2023. Week four is Information Security Policy 3 (IS-3) education.
The IS-3 security policy was signed into policy by President Janet Napolitano in September 2018 and has been implemented across all UC campuses. At UC Davis, IT security is a shared responsibility among faculty, staff, students, and other affiliates within this policy. IS-3 takes a risk-based approach to security, classifying data under four Protection Levels and applying security controls to high-risk data to mitigate the risk of a security breach or loss of data availability.
At UC Davis, the Information Security Office (ISO) runs the Vendor Risk Assessment (VRA) program to guide and assist units when contracting with third-party Vendors and/or Services. In the article below, we break down the process into just four steps and provide VRA pro tips.
Demystifying the Vendor Risk Assessment Process
UC Davis processes continue to evolve to adhere to the IS-3 Policy requirements. As technology continues to change, new risks emerge, thus UC Davis’s approaches to security must evolve as well. While you may have made a recent technology purchase without a VRA, those same purchases or renewals may require one in the future. VRAs are a point-in-time assessment, revealing threats and vulnerabilities that could adversely affect end users, operations, your department, and the entire university. When everyone works together to understand the security risks and their potential impacts, we can enhance the security of individual programs, departments, and UC Davis.
