If the Vendor receives a High or Severe Risk (Not Recommended) rating, we recommend the following steps:
1) Consult Your Unit Information Security Lead: Collaborate with your Unit Information Security Lead to determine the best course of action. Don’t know who your Unit Information Security Lead is? See the Current IS-3 Unit Heads and UISLs list.
2a) Option A: Avoid the Risk(s) and Choose A Different Vendor
- Choose a different Vendor. Note that the new Vendor will also need to be assessed before contracting. Complete and submit the Request a Vendor Security Assessment Form available on the Vendor Security Assessment Service Website
- Optional/Recommended: Document the decision to not work with this Vendor using the Unit Head Risk Approval Form
2b) Option B: Remediate and/or Accept the Risk(s) to Continue with Vendor:
- Remediate: Work with the Vendor to address the identified risks. This involves resolving any false positives and requesting a remediation plan with completion dates for each risk from the vendor. A template will be provided that you can use at your discretion with the report for facilitating this.
- 1) Resolve false positives: False positives can occur when the vendor misunderstands a security question or insufficient evidence to confirm a security control is in place (e.g. information security policies, incident response plans, or vulnerability scan and penetration test reports).
- 2) Obtain remediation plans: A remediation plan details the vendor’s specific actions and clear completion dates for each identified risk. Integrate these plans into the contract to hold the Vendor accountable.
-
Accept: If remediation is not feasible, accepting the risk may be necessary. Remember that acceptance should be considered as a last resort, and the decision to accept risk is made in collaboration with your Unit Information Security Lead and Unit Head, as your Unit is ultimately accountable for these decisions.
3) Document the Decision and Obtain Unit Head Approval [1]:
- Make a copy of the Unit Head Risk Approval Form and document the risk decisions that have been made, see the form for further instructions.
- To continue working with the Vendor, both the remediation plans and any accepted risks require approval from the Unit Head. Document the Unit Head’s approval using the Unit Head Risk Approval Form. It’s also recommended to include the Unit’s buyer in the meeting so they are aware of the decision. Don’t know who your Unit Head is? See the Current IS-3 Unit Heads and UISLs list.
4) Obtain CISO Approval for High Risk P3 (HRP3) andP4 data/IT Resources [1]:
For High Risk P3 (HRP3) and P4 Vendor with a “Not Recommended” rating:
- Please include the CISO in the meeting with the Unit Head.
- Email the completed form to security-assessments@berkeley.edu and share with ciso-mssei-ssp@calgroups.berkeley.edu.
- If CISO inclusion in the meeting isn’t feasible, send an email to security-assessments@berkeley.edu and share with ciso-mssei-ssp@calgroups.berkeley.edu.
[1] If the Unit Head and/or CISO approves, the Unit is responsible for monitoring the Vendor to ensure they are addressing risks according to the remediation plan. If the Unit Head and/or CISO rejects the request, the Unit must choose another Vendor (Option A)