Information Security Office Services & Consultation

The ISO is here to support you in your quest toward cyber safety and cyber awareness. We offer support, advice, and services to help you and your organization.

One of the roles of the UC Davis Information Security office is to provide services and consultation to campus affiliates as they navigate cyber security issues in their organizations. Here are some of the services the Information Security Office provides (with more to come):

Vulnerability Management Program:  Vulnerability Management involves using a remote security scanning tool, which scans a computer and raises an alert if it discovers any vulnerabilities that malicious hackers could use to gain access to any computer you have connected to a network. For more information, visit the service page in the UC Davis IT Catalog.

Unit Risk Assessment:  Laws (HIPAA) and industry mandates (PCI) require organizations to assess their vulnerabilities and risks. Organizations must be conscious of information security, and must develop and implement proper security controls based on their internal risk and vulnerability assessments. For information about  Information Security Office risk assessments and how to get started, visit the service page in the IT Catalog.

Vendor Risk Assessments:  The UCOP IS-3 policy requires that a risk assessment be completed when contracting for a 3rd-party provided service that will handle UC Davis information, or otherwise potentially impact the security of UC Davis. The UC Davis Information Security Office (ISO) offers a vendor risk assessment service which includes the following general steps:

  1. Request for a Vendor Risk Assessment by the requesting Unit using the online form https://itriskmanager.saiglobal.com/UCDAVISGRC/.
  2. Collection of information by the ISO from the requesting Unit about the “use case”,  and/or type of information that will be involved and what the nature of the service is. This is accomplished through an on-line Context Questionnaire.
  3. Collection of security answers from the service provider. This is accomplished through an on-line security questionnaire based on the EDUCAUSE HECVAT. The selection of the questions, and how much supporting evidence is needed for the answers, is further informed by the use case and IS-3, to be sure the approach is balanced.
  4. Development of a risk assessment report draft. When the report is drafted, we can do a “pre-briefing” with the requester to provide an indication whether the ISO is seeing high or low risks that may have to be addressed.
  5. Review of the report through the UC Davis Privacy and CISO offices.
  6. Final debriefing with the requesting Unit about the report and recommendations. The debriefing should include the Unit IT/Security lead.
  7. Filling out of the requesting Unit/Department response to the recommendations.
  8. Decision by the Unit Head or designee whether any residual risks are acceptable, and whether to proceed.

To proceed with a request for a Vendor Risk Assessment, please fill out the online form shown in step #1 above. To ask questions about this service, please contact cyber-security@ucdavis.edu.

Visit this page to review a list of vendors who have undergone a risk assessment by the Information Security Office. Note that the page is behind CAS.

General ISO Consultation: To set up an appointment for a consultation on cyber security matters, please email cybersecurity@ucdavis.edu.