Frequently Asked Questions

  • What is a "third-party service provider"?

  • A "vendor" or "third-party service provider" is an entity (e.g., a person or a company), separate from the university, that offers something for sale.  The typical types of vendor services that require an ISO vendor risk assessment are technologies used to store, process, and/or transport protected data on behalf of the university, such as:

      • Software as a Service (SaaS) providers - companies that provide hosted application services (e.g., Gmail, Calendly, Box)

      • Infrastructure as a Service (IaaS) providers - companies that provide hosted data storage or processing services (e.g., Amazon AWS, Microsoft Azure)

    These types of vendors are required to meet the campus policy standards for the protection level classification of protected data that is required for applications and services that are managed by internal campus IT resources.

  • What is the purpose of the Vendor Risk Assessment Service?

  • The Vendor Risk Assessment (VRA) Service is intended to ensure that service providers who handle university data meet campus security policy requirements.  This is primarily achieved in two ways:

      • By evaluating the vendor's security controls in comparison to campus policy.

      • Ensuring that the UCOP Data Security & Privacy Appendix is included in the vendor contract to provide baseline protection for the university in the event of a data breach.

  • Are there available products and services that have already been vetted by the VRA?
  • Review the information on the Vendor Risk Assessment page to identify vendors that have a Vendor Risk Assessment in place (or in process) and the level of data for which the assessment is valid.  Contact the Information Security Office (ISO) at cybersecurity@ucdavis.edu for guidance before proceeding with purchase request based on existing VRA.
  • I already have a completed VRA, why do I need to request another VRA for the same product?

  • While other circumstances may apply, the two most common drivers for renewing an existing VRA include: 

    • VRAs are a point-in-time analysis of a Vendor's security standing. If the last VRA was completed more than two years prior, there is a chance that your Vendor's security posture has changed and additional risk mitigations or contractual requirements may be necessary to ensure safe, continued use of product/service.

    • The current use case is materially different than from the previous VRA. The context of the VRA is a significant factor in the assessment process. If the context significantly changes, then guidance and recommendations may also need update for effective risk mitigation.

  • How do I know if product or service is subject to IS-3 risk assessment policy?
  • Risk assessments must apply to Cloud-hosted and Supplier-provided product and services that will be used with Institutional Information classified at Protection Level 2 or higher and/or Institutional technology resources. 
    If you are uncertain whether a planned IT purchase is subject to IS-3 risk assessment policy contact FOA-VRA-Team@ucdavis.edu for assistance.
  • How do I know if my information (data) is sensitive?

  • Sensitive data is any data that you would not want to be shared with general public (e.g., credit card information, bank account information, social security number, confident information), Business information (e.g., accounting data, trade secrets, business plans, financial statements) or personal data (e.g., addresses, medical history, driver license numbers, phone numbers). If your data is related to student information, it could be subject to FERPA regulations.

    Visit VRA Resources > Data Classification Guides for examples of data types and their classification.

  • Who needs to be involved in a VRA?

  • The roles that are typically involved in participating with a vendor risk assessment include the following:

    Resource Owner or ProprietorCampus unit representative who has overall responsibility for the application (e.g., budgeting and resource allocation).
    Implementation Project ManagerUnit member responsible for the roll-out of the application or service, including (but not limited to) vendor selection, contract specifications, configuration, process-flow design, personnel training, etc.
    UC BuyerRepresentative in the UC Davis Procurement department responsible for the vendor contract negotiation.
    Vendor RepresentativeVendor contact responsible for completing the security questionnaire.  Ideally, this person is a member of vendor security group or affiliated with the IT department and is knowledgeable regarding the vendor's security framework.  Often times, the person in this role is a Sales or Customer Support Representative who facilitates communication between the vendor's IT staff and the ISO Assessor.
    ISO AssessorA member of the ISO analyst team assigned as the primary assessor responsible for the engagement with the unit.
  • How do I get started?
  • Contact your IT support representative or email FOA-VRA-Team@ucdavis.edu for guidance on process and initiating a vendor security assessment with the Information Security Office. 
    Reference the FOA VRA Process Checklist for a full overview of the VRA process.
  • Assistive Technology: How do I request and obtain software for accessibility and assistive related needs? Do I need to complete the VRA process?
  • The Client Services division of Admin IT manages the desktop install and licensing for FOA staff who need Assistive / Accessibility Technology, such as from Trello or Otter.AI and other solutions. To submit your request, fill-out the Client Services Software Purchase request form
    Individuals are not required to undertake the VRA process themselves, instead, the FOA VRA Team manages the process and coordinates with Client Services for the VRA Review and SCM Approval form needed to support the staff member's request(s).