The ISO is here to support you in your quest toward cyber safety and cyber awareness. We offer support, advice, and services to help you and your organization.

One of the roles of the UC Davis Information Security office is to provide services and consultation to campus affiliates as they navigate cyber security issues in their organizations. Here are some of the services the Information Security Office provides (with more to come):

Vulnerability Management Program:  Vulnerability Management involves using a remote security scanning tool, which scans a computer and raises an alert if it discovers any vulnerabilities that malicious hackers could use to gain access to any computer you have connected to a network. For more information, visit the service page in the UC Davis IT Catalog.

Unit Risk Assessment:  Laws (HIPAA) and industry mandates (PCI) require organizations to assess their vulnerabilities and risks. Organizations must be conscious of information security, and must develop and implement proper security controls based on their internal risk and vulnerability assessments. For information about  Information Security Office risk assessments and how to get started, visit the service page in the IT Catalog.

Vendor Risk Assessments:  The UCOP IS-3 policy requires that a risk assessment be completed when contracting for a 3rd-party provided service that will handle UC Davis information, or otherwise potentially impact the security of UC Davis. The UC Davis Information Security Office (ISO) offers a vendor risk assessment service which includes the following general steps:

  1. Request for a Vendor Risk Assessment by the interested Unit using the online form at Enter the key words "Vendor Risk Assessment" in the search box, and access the "Vendor Risk Assessment Request" form to fill it out.
  2. Collection of security answers from the service provider. This is accomplished through an on-line security questionnaire based on the EDUCAUSE HECVAT. The selection of the questions, and how much supporting evidence is needed for the answers, is further informed by the use case and IS-3, to be sure the approach is balanced.
  3. Development of a risk assessment report draft. When the report is drafted, we can do a “pre-briefing” with the requester to provide an indication whether the ISO is seeing high or low risks that may have to be addressed.
  4. Review of the report through the UC Davis Privacy and CISO offices.
  5. Final debriefing with the requesting Unit about the report and recommendations. The debriefing should include the Unit IT/Security lead.
  6. Filling out of the requesting Unit/Department response to the recommendations.
  7. Decision by the Unit Head or designee whether any residual risks are acceptable, and whether to proceed.

To proceed with a request for a Vendor Risk Assessment, please fill out the online form referenced in step #1 above. To ask questions about this service, please contact

General ISO Consultation: To set up an appointment for a consultation on cyber security matters, please email