decorative image of tech illustrations

Vendor Risk Assessments for FOA Units

In today’s interconnected landscape, Vendor Risk Assessments play a critical role in protecting an organization’s data, operations, and reputation from security risks related to information security and third-party partnerships.


Overview

A Vendor Risk Assessments (VRA) is a thorough review of a vendor's (supplier) security practices and organizational maturity. Think of it like a detailed health report that points out any weak spots or dangers in how they protect information and operate their business. The review is conducted by the Information Security Office (ISO) and the key findings are summarized into a comprehensive report that highlights potential concerns, threats and vulnerabilities that could negatively impact customers of the service, university operations or IT resources, or the university's reputation. Then you as the potential customer decide whether you want to do business with the vendor based on the outcomes of the VRA and stakeholder authorization.

Scope: Third-party (vendor) software and related services (e.g., hardware and professional services) for use with any of the following:

  • Institutional Information (e.g., names, email address, financial records, sensitive information of UC Davis affiliates)
  • Institutional IT resources (e.g., computers, servers, networks)
  • To facilitate administrative and campus programs
Responsibility for FOA Units

The VRA process must be initiated by the program manager or system owner (department contact) within the Unit (Department) that is procuring services from a third-party supplier. In addition to initiating the VRA, the department contact is responsible for:

  • Risk Remediation (e.g., manage, mitigate, or eliminate identified risks)
  • Ensuring contractual requirements are upheld (e.g., IS-3 policy, UCOP, IT governance)
  • Receiving stakeholder input (e.g., UISLs, IT Team, FOA VRA Team, Division Head) and Unit Head approval for risk acceptance decisions
Procurement & Contractual Considerations

A VRA is required prior to procuring IT solutions and entering the procurement stage with Supply Chain Management, Since the full process can take upwards of 4 months, we strongly encourage you to initiate the VRA in advance of 4-6 months from your need-by date (implementation or annual renewal). 

  • Other Contractual Considerations
  • If Protection Level 3 (P3) or P4 are in scope of the business use case:

    Based on IS-3 requirements, the supplier must accept Appendix Data Security (DS) for UC agreements and supplier engagements. Appendix DS establishes baseline protection for the Institution in the event a supplier suffers a security incident or breach, and more.

    Share this requirement with your suppliers ahead of time to help streamline the contractual negotiations phase. Refer to the VRA for New & Renewal Purchases for an overview of the VRA Process and an email template you can use for this purpose.

    Responsibility for FOA Program Manager or System Owner

    Prepare the Appendix DS - Exhibit 1 form with the relevant data types and regulations for the business use case. To complete this form, refer to your ISO VRA Request form and selections made for the sections labeled Use CaseData Sensitivity, and Impact Assessment. For support, please contact Zainab Shakoor (Privacy Officer/Campus Counsel) for guidance on the data types and privacy selections. 

    Provide the completed form to your Business Partner, Purchasing Team Contact or Procurement Analyst/Buyer so they can attach it to the final agreement or purchase order.

  • UC Policy (IS-3) Requirement
  • The University of California, Office of the President (UCOP) Information Security Policy (IS-3) requires UC locations and units to walk through the VRA process before engaging with suppliers. This critical step helps guide the allocation of resources through risk-evaluation and cost-benefit analysis that is based on approved risk management decisions.

    Refer to VRA Resources > Policy & Guidelines for a link to the IS-3 policy (pages 1 and 5) for a description of Institutional Information and IT resources.
  • VRA Process

  • The ISO manages the campus VRA program. Upon review of your VRA request form, the Chief Information Security Officer (CISO) determines if a VRA is necessary. If necessary, a skilled security analyst engages the vendor to obtain relevant security and compliance documentation to identify potential weaknesses in their organization and IT solution(s).

    The final outcome is comprehensive report with risk scoring for each data classification level assessed, key findings, and actionable recommendations to effectively minimize the security concerns identified.


Explore our Menu for resources to help guide you in the VRA process.

For questions or support, contact FOA-VRA-Team@ucdavis.edu or schedule a Support Session with us.