Frequently Asked Questions - Vendor Security Assessment Program

Frequently asked questions concerning the ISP Vendor Security Assessment Program (VSAP).

What is a "3rd-party service provider"?

What is a "vendor" or a "3rd-party service provider"?

A "vendor" or "3rd-party service provider" is an entity (e.g., a person or a company), separate from the University, that offers something for sale. The typical types of vendor services that require an ISO vendor security assessment are technologies used to store, process, and/or transport protected data on behalf of the University, such as:

Software as a Service (SaaS) providers - companies that provide hosted application services (e.g., Google bmail) Infrastructure as...

Who needs to be involved in a vendor security assessment?

The roles that are typically involved in participating with a vendor security assessment include the following:

Resource Owner or Proprietor Campus unit representative who has overall responsibility for the application (e.g., budgeting and resource allocation). Implementation Project Manager Unit member responsible for the roll-out of the application or service, including (but not limited to) vendor selection, contract specifications, configuration, process-flow design, personnel training, etc. UC Buyer Representative...

How do I get started?

What do I need to do to initiate a vendor security assessment with the Information Security Office?

To request a Vendor Security Assessment Program evaluation for a PL2 system that is vendor managed, review the Details of the Vendor Security Assessment Program and then send an email to security@berkeley.edu.

Please include the following information:

Name of the unit requesting VSAP service Project Lead contact information UC Provisioning Representative contact information...