Overview
The Information Security Office (ISO) offers a Vendor Security Assessment (VSA) Service for Vendor agreements that involve Vendor access to UC systems or to data classified at Protection Level P3 or P4. The VSA requirement applies to new Vendor agreements, renegotiated agreements, and renewals.
The purpose of the VSA Service is to determine whether the Vendor’s security plan is adequate to safeguard UC systems and data. At the conclusion of the service, a report will be provided to the requesting party including an overall risk rating, risks, and recommendations.
A typical VSA takes 4 - 6 weeks to complete starting from the date the Vendor has provided all the information requested to perform the VSA. Please plan accordingly.
Roles and Responsibilities
The campus roles that typically participate in a VSA include the following:
|
Requester |
The Requester is responsible for:
|
|
Buyer |
Representative in the UC Procurement department responsible for the Vendor contract negotiation. |
|
ISO Analyst |
A member of the ISO Security Assessments Team assigned as the primary analyst responsible for the engagement with the Unit. The ISO Analyst will review the vendor’s security plan and will provide the Requestor with a report including an overall risk rating, risks, and recommendations. |
|
Venminder |
ISO has contracted Venminder to perform information security assessments of vendors on ISO’s behalf. |
How to Get Started
-
Gather the following information from the Vendor (see FAQ):
-
Vendor contact information (name, title, email address, and phone number)
-
Name of third-party Vendor and the product/service being purchased
-
Vendor’s SOC 2 Type II report (if available)
-
PCI DSS compliance documentation such as a Self-Assessment Questionnaire (SAQ), Attestation of Compliance (AOC), and supporting policies) (if applicable)
-
-
Gather the following information:
-
Name of requesting Unit
-
Requester’s contact information (name, title, email address)
-
Buyer’s contact information (name, email address)
-
Description of the proposed use of the Vendor’s product/service
-
-
Complete the Appendix DS Exhibit 1. Consult with the Privacy Office if you need assistance with completing Appendix DS Exhibit 1.
-
Work with your Buyer to:
-
Determine the Vendor’s willingness to accept all terms in the Appendix DS without modification.
-
Determine whether the Vendor carries adequate cybersecurity insurance.
-
Submit your BearBUY requisition.
-
-
Complete and submit the Request a Vendor Security Assessment form (requires CalNet login).
-
Please inform the Vendor that a representative from Venminder may be reaching out to them to conduct an assessment on UC Berkeley’s behalf.
If you have any questions about VSAs, please email security-assessments@berkeley.edu
Frequently Asked Questions
- How long will a VSA take using Venminder?
- What are the responsibilities and expectations for Units and Vendors during the VSA process?
- Will there be additional information or documents I need to provide when requesting a VSA?
- The Vendor is requiring a Non-Disclosure Agreement (NDA) in order to release security documentation. Who should sign the NDA?
- What should I do with the Venminder report and ISO guidance letter after an assessment is completed?
- Can I ask for another Vendor Security Assessment for a Vendor that previously received a “Not Recommended” rating?
Additional Information
- VSA Request Form
- This is a full list of questions on the Vendor Security Assessment Request Form so that you can prepare your VSA request.
- ISO Guidance Letter (Sample)
- The following are Venminder document request lists and sample reports organized by assessment type:
- Data Protection Assessment - Document Request List
- Data Protection Assessment - Sample Report
- Information Security & Privacy Assessment - Document Request List
- Information Security & Privacy Assessment - Sample Report
- Point-in-Time Cybersecurity Assessment - Document Request List
- Point-in-Time Cybersecurity Assessment - Sample Report
- Venminder Risk Rating Scale
- Appendix DS Exhibit 1 (Example of completed Exhibit 1)
Appendix Data Security - Exhibit 1
The vendor security plan cannot be reviewed without the accurate completion of the Appendix DS Exhibit 1, which identifies the Protection Level of the data along with regulatory requirements.
Here is an example Appendix DS:For help with classifying the Protection Level of the data to be handled by the Supplier, please refer to the UC Berkeley Data Classification Standard.For questions regarding Privacy regulations under Exhibit 1 Section 3 (Institutional Information Regulation or Contract Requirements), contact the Privacy Office at privacyoffice@berkeley.edu. For questions about Data Security regulations, please contact ISO at security@berkeley.edu. |
 |