Frequently Asked Questions - Vendor Security Assessment Program

Frequently asked questions concerning the ISP Vendor Security Assessment Program (VSAP).

What is a "3rd-party service provider"?

What is a "vendor" or a "3rd-party service provider"?

A "vendor" or "3rd-party service provider" is an entity (e.g., a person or a company), separate from the University, that offers something for sale.  The typical types of vendor services that require an ISP vendor security assessment are technologies used to store, process, and/or transport covered data on behalf of the University, such as:

Are vendor services available that have already been approved?

Are vendor services available to campus that have already been approved for PL1 or PL2 data?


There are several 3rd-party vendor services that are readily available to campus that have been approved for PL1 and PL2 data.  Campus units that adopt these 3rd-party services for the purpose of storing and sharing covered data can be assured that these vendors meet campus policy requirements.

Campus units that utilize these services for the handling of protected data should keep in mind that careful configuration and management of these applications is required to meet campus policy standards.

Who needs to be involved in a vendor security assessment?

The roles that are typically involved in participating with a vendor security assessment include the following:

What is the purpose of the Vendor Security Assessment Program?

The Vendor Security Assessment Program is intended to ensure that service providers who handle Protection Level 2 data on behalf of the University meet campus security policy requirements.  This is achieved in two ways:

The contract has already been signed, what do I do?

My unit is contracting with a 3rd-party service provider for the handling of campus Protection Level 2 data. The contract has already been signed, should I still engage with ISP for a vendor security assessment?


Although there is less bargaining power with the service provider to address security concerns after the contract has already been signed, it is still a good idea to perform a vendor security assessment for service providers who are handling Protection Level 2 (PL2) data:

The Data Security & Privacy Appendix was not included in the vendor contract, what do I do?

The contract with the 3rd-party service provider has already been signed and the UCOP Data Security & Privacy Appendix was not included. How will this effect the vendor security assessment?

I have PL1 data, what do I do?

My unit is contracting with a 3rd-party service provider to host campus PL1 classified data. How can the vendor be assessed to meet campus security policies in the absence of ISP resources?


Units can ensure that 3rd-party service providers meet the campus data security policy requirements for the handling of Protection Level 1 (PL1) data through the following actions:

How do I get started?

What do I need to do to initiate a vendor security assessment with ISP?