Frequently Asked Questions - Vendor Security Assessment Program

Frequently asked questions concerning the ISP Vendor Security Assessment Program (VSAP).

What do I need to do if a Vendor's products or services use Artificial Intelligence (AI)?

It is important to understand how a vendor's services/products may use Artificial intelligence (AI) capabilities to ensure that use aligns with UC's policies, advisories, and guidelines on AI. AI functionality in Vendor services/products must be evaluated for security, privacy, and general AI risks.

Regarding the Vendor Security Assessment process and AI, the following are some key questions the Requester should be prepared to answer in coordination with the Vendor.

ISO...

Can I ask for another Vendor Security Assessment for a Vendor that previously received a “Not Recommended” rating?

Units are allowed a maximum of one (1) resubmission for Vendors that receive an overall Not Recommended rating. Prior to resubmission, significant deficiencies identified in the previous assessment must be addressed. If a Vendor receives an overall Not Recommended rating after the one (1) resubmissions, then alternative Vendors should be considered or apply for an exception.

...

What are the responsibilities and expectations for Units and Vendors during the VSA process?

What are the responsibilities and expectations for UCB Units and Vendors during the Vendor Security Assessment (VSA) process?


Units requesting a Vendor Security Assessment (VSA) should review the following document and share it with the Vendor so that they are prepared for the VSA process.

UC Berkeley Vendor Security Assessments (VSA) - Responsibilities & Expectations (PDF)

What should I do with the Venminder report and ISO guidance letter after an assessment is completed?

Once a VSA is complete, ISO recommends reviewing the guidance letter and the Venminder report with your Unit Information Security Lead (UISL) to decide on the appropriate course of action for responding to the findings identified in the Venminder report. The ISO guidance letter in particular will provide information regarding what type of response the Unit requires per campus security policy.

The Vendor is requiring a Non-Disclosure Agreement (NDA) in order to release security documentation. Who should sign the NDA?

The Requester is responsible for signing any Non-Disclosure Agreements with the Vendor and informing ISO which documents are under NDA.

Inform the ISO Assessments Team on the corresponding ServiceNow ticket for your VSA request if the Vendor is asking that ISO or Venminder sign the NDA.

Will there be additional information or documents I need to provide when requesting a VSA?

Yes, the Requester will be responsible for providing the following information when requesting a VSA:

Vendor primary point of contact (name, title, phone number, and email address)

Vendor name and product/service being purchased

A description of the Vendor product/service and how it will be used on campus

A completed ...

How long will a VSA take using Venminder?

A typical VSA takes 4 to 6 weeks to complete starting from the date the Vendor has provided all the information requested. Please plan accordingly.

What is the purpose of the Vendor Security Assessment Program?

The Vendor Security Assessment Program is intended to ensure that service providers who handle UC P4 data on behalf of the University meet campus security policy requirements. This is achieved in two ways:

By evaluating the vendor's security controls in comparison to campus policy. Ensuring that the UCOP Data Security & Privacy Appendix is...

The Data Security & Privacy Appendix was not included in the vendor contract, what do I do?

The contract with the 3rd-party service provider has already been signed and the UCOP Data Security & Privacy Appendix was not included. How will this affect the vendor security assessment?

For all UC contracts involving third-party access to covered data, the University of California Office of the President (UCOP) requires the inclusion of the Data Security and Privacy Appendix. The appendix establishes baseline protection for the University in the event of a data breach. Campus units that engage with service providers to handle covered data must ensure the appendix is included in new contracts without edits.

For VSAP engagements that...

The contract has already been signed, what do I do?

My unit is contracting with a 3rd-party service provider for the handling of campus protected data. The contract has already been signed, should I still engage with ISO for a vendor security assessment?


Although there is less bargaining power with the service provider to address security concerns after the contract has already been signed, it is still a good idea to perform a vendor security assessment for service providers who are handling UC P3 or P4 data:

If the overall risk level is acceptable, the unit is assured that the vendor meets campus policy for the protection of...