Frequently Asked Questions - Vendor Security Assessment Program

What is a "3rd-party service provider"?
What is a "vendor" or a "3rd-party service provider"?

A "vendor" or "3rd-party service provider" is an entity (e.g., a person or a company), separate from the University, that offers something for sale.  The typical types of vendor services that require an ISP vendor security assessment are technologies used to store, process, and/or transport covered data on behalf of the University, such as:

  • Software as a Service (SaaS) providers - companies that provide hosted application services (e.g., Google bmail)
  • Infrastructure as a Service (IaaS) providers - companies that provide hosted data storage or processing services (e.g., Amazon AWS)

These types of vendors are required to meet the same campus policy standards for the protection of covered data that is required for applications and services that are managed by internal campus IT resources.

What is the purpose of the Vendor Security Assessment Program?

The Vendor Security Assessment Program is intended to ensure that service providers who handle Protection Level 2 data on behalf of the University meet campus security policy requirements.  This is achieved in two ways:

  • By evaluating the vendor's security controls in comparison to campus policy.
  • Ensuring that the UCOP Data Security & Privacy Appendix is included in the vendor contract to provide baseline protection for the University in the event of a data breach.
Who needs to be involved in a vendor security assessment?

The roles that are typically involved in participating with a vendor security assessment include the following:

Resource Owner or Proprietor Campus unit representative who has overall responsibility for the application (e.g., budgeting and resource allocation).
Implementation Project Manager Unit member responsible for the roll-out of the application or service, including (but not limited to) vendor selection, contract specifications, configuration, process-flow design, personnel training, etc.
UC Buyer Representative in the UC Procurement department responsible for the vendor contract negotiation.
Vendor Representative Staff member of the service provider responsible for completing the Vendor Security Assessment Questionnaire.  Ideally, this person is affliated with the IT department and is knowleagable regarding the vendor's security framework.  Often times, the person in this role is a Sales or Customer Support Representative who facilitates communication between the vendor's IT staff and the ISP Assessor.
ISP Assessor A member of the ISP analysts team assigned as the primary assessor resonsible for the engagement with the unit.
Are vendor services available that have already been approved?
Are vendor services available to campus that have already been approved for PL1 or PL2 data?


There are several 3rd-party vendor services that are readily available to campus that have been approved for PL1 and PL2 data.  Campus units that adopt these 3rd-party services for the purpose of storing and sharing covered data can be assured that these vendors meet campus policy requirements.

Campus units that utilize these services for the handling of protected data should keep in mind that careful configuration and management of these applications is required to meet campus policy standards.

PL2 Approved Services

  • CalShare, a web-based document management and collaboration system utilizing Microsoft SharePoint. 
  • The Imagine document imaging and workflow service is a campus service that’s core purpose is to provide automated workflows and document managment and storage and can be integrated with other campus systems if needed. 

PL1 Approved Services

Please visit the bConnected website to learn more about the MSSEI protection level ratings for each of these products:  https://bconnected.berkeley.edu/collaboration-services

I have PL1 data, what do I do?
My unit is contracting with a 3rd-party service provider to host campus PL1 classified data. How can the vendor be assessed to meet campus security policies in the absence of ISP resources?


Units can ensure that 3rd-party service providers meet the campus data security policy requirements for the handling of Protection Level 1 (PL1) data through the following actions:

  • Be sure to include the UCOP Data Security & Privacy Appendix (link is external), required for all UC contracts involving 3rd-party access to protected data, without edits, in the service provider contract.  This ensures baseline protection for the University in the event of a data breach, including:
    • Service provider compliance with applicable laws (e.g., FERPA, HIPAA), regulations and campus policy.
    • Requirements for a vendor information security plan and breach reporting process.
    • Adequate cyber-insurance to cover the cost of investigating and responding to a breach.
  • Notify the service provider that by signing-off on the Data Security & Privacy Appendix, they are obligated to abide by campus policy, including aherence with the requirements of the UC Berkeley Minimum Security Standard for Electronic Information (MSSEI) policy for the protection of PL1 data.
The contract has already been signed, what do I do?
My unit is contracting with a 3rd-party service provider for the handling of campus Protection Level 2 data. The contract has already been signed, should I still engage with ISP for a vendor security assessment?


Although there is less bargaining power with the service provider to address security concerns after the contract has already been signed, it is still a good idea to perform a vendor security assessment for service providers who are handling Protection Level 2 (PL2) data:

  • If the overall risk level is acceptable, the unit is assured that the vendor meets campus policy for the protection of PL2 data.
  • If the overall risk level is High or Critical, it may be necessary to postpone or suspend the service until these issues have been addressed.

Vendors may be more inclined to particpate in a security assessment after the contract has been signed, but before the service has been initiated - as billing often does not begin until services have started. 

For VSAP reports with an overall acceptable risk rating, any medium-level risk findings identified in the report should be discussed with the vendor during the next contract renewal period.

The Data Security & Privacy Appendix was not included in the vendor contract, what do I do?
The contract with the 3rd-party service provider has already been signed and the UCOP Data Security & Privacy Appendix was not included. How will this effect the vendor security assessment?

For all UC contracts involving third-party access to covered data, the University of California Office of the President (UCOP) requires the inclusion of the Data Security and Privacy Appendix.  The appendix establishes baseline protection for the University in the event of a data breach.  Campus units that engage with service providers to handle covered data must ensure the appendix is included in new contracts without edits.

For VSAP engagements that have been initiated after the contract has been approved, and the UCOP appendix has been ommitted, the final assessment report will include contract related risk findings.  These findings are generally of a Critical risk nature, e.g.:

  • No guarantee of service provider compliance with applicable laws (e.g., FERPA, HIPAA) or campus policies for the protection of covered data.
  • The absence of requirements for a vendor information security plan and breach reporting process.
  • Inadequate cyber-insurance to cover the cost of investigating and responding to a breach.

In these cases, the unit may be required to suspend use of the service until the contract issues have been resolved with the vendor.

How do I get started?
What do I need to do to initiate a vendor security assessment with ISP?

To request a Vendor Security Assessment Program evaluation for a PL2 system that is vendor managed, review the Details of the Vendor Security Assessment Program and then send an email to security@berkeley.edu

Please include the following information:

  • Name of unit requesting VSAP service
  • Project Lead contact information
  • UC Provisioning Representative contact information (if applicable)
  • Name of third-party vendor/product/service
  • Service description
  • List of protected data elements that are known to be processed, stored, or transmitted by the service provider (see the UC Data Classification Standard for details)
  • Estimated number of records containing PL2 data