Frequently Asked Questions - Vendor Security Assessment Program

Frequently asked questions concerning the ISP Vendor Security Assessment Program (VSAP).

Are vendor services available that have already been approved?

Are vendor services available to campus that have already been approved for UC P2/3 or UC P4 data?


There are several 3rd-party vendor services that are readily available to campus that have been approved for UC P2/P3 or UC P4 data. Campus units that adopt these 3rd-party services for the purpose of storing and sharing covered data can be assured that these vendors meet campus policy requirements.

Campus units that utilize these services for the handling of protected data should keep in mind that careful configuration and management of these applications is required to meet campus policy standards.

UC P4...

I have UC P2/3 data, what do I do?

My unit is contracting with a 3rd-party service provider to host campus UC P2/3 classified data. How can the vendor be assessed to meet campus security policies in the absence of ISO resources?


Units can ensure that 3rd-party service providers meet the campus data security policy requirements for the handling of UC P2/3 data through the following actions:

Be sure to include the UCOP Data Security & Privacy Appendix, required for all UC contracts involving 3rd-party access to protected data, without edits, in the service provider contract. This ensures baseline...

What is a "3rd-party service provider"?

What is a "vendor" or a "3rd-party service provider"?

A "vendor" or "3rd-party service provider" is an entity (e.g., a person or a company), separate from the University, that offers something for sale. The typical types of vendor services that require an ISO vendor security assessment are technologies used to store, process, and/or transport protected data on behalf of the University, such as:

Software as a Service (SaaS) providers - companies that provide hosted application services (e.g., Google bmail) Infrastructure as...

Who needs to be involved in a vendor security assessment?

The roles that are typically involved in participating with a vendor security assessment include the following:

Resource Owner or Proprietor Campus unit representative who has overall responsibility for the application (e.g., budgeting and resource allocation). Implementation Project Manager Unit member responsible for the roll-out of the application or service, including (but not limited to) vendor selection, contract specifications, configuration, process-flow design, personnel training, etc. UC Buyer Representative...

How do I get started?

What do I need to do to initiate a vendor security assessment with the Information Security Office?

To request a Vendor Security Assessment Program evaluation for a PL2 system that is vendor managed, review the Details of the Vendor Security Assessment Program and then send an email to security@berkeley.edu.

Please include the following information:

Name of the unit requesting VSAP service Project Lead contact information UC Provisioning Representative contact information...