Yes, the Requester will be responsible for providing the following information when requesting a VSA:
-
Vendor primary point of contact (name, title, phone number, and email address)
-
Vendor name and product/service being purchased
-
A description of the Vendor product/service and how it will be used on campus
-
A completed UC Appendix DS Exhibit 1 form
Additionally, the following security documents will speed up the assessment process:
-
If available, include the Vendor’s SOC 2 Type II report. NOTE: Venminder will need the Vendor’s own report and not the report of the Vendor’s hosting provider such as AWS, Azure, GCP, etc.
-
PCI DSS compliance documentation for Vendors that accept payment card data on behalf of UC.
-
Please include the vendor’s PCI DSS Self-Assessment Questionnaire (SAQ), Attestation of Compliance (AOC), and any other supporting policies or PCI compliance documentation.
ISO will no longer ask for the statement of work, contract/agreement, or the Vendor’s security plan.