Information Security Office analysts engage with unit project managers, UC purchasing agents, and vendor representatives to evaluate the service provider's current security practices. Using the campus Minimum Security Standard for Electronic Information (MSSEI) policy, the analysts identify any major gaps between vendor security controls and campus policy, evaluate the level of risk these gaps represent, and make recommendations to the units.
The VSAP service is usually initiated by a campus unit seeking to contract a third-party service that is known to involve the processing, storage, or transport of Protection Level 2 data.* The Implementation Project Manager or Campus Purchasing Agent will contact ISO in these instances to request VSAP services during the procurement process.
Ideally, the assessment takes place before the vendor service contract is finalized, to ensure that the service meets campus policy and for an opportunity to negotiate additional contract provisions with the vendor to address any gaps if necessary.
The typical engagement timeline for a VSAP evaluation is 4 to 8 weeks, depending upon the cooperation of the vendor.
|Phase||Activities||Estimated Time Required|
Vendor Security Assessment Questionnaire
The Vendor Security Assessment Questionnaire form, completed by a vendor representative, is central to the VSAP process. The questions in the form align directly with each of the MSSEI requirements, with references to the required guidelines.
The vendor representative is asked to describe the security controls currently in place within the service provider's operations that meet or exceed MSSEI requirements, including as much detail as necessary.
2 - 4 weeks
ISO Initial Review
ISO analysts will review the initial questionnaire responses and, in most cases, provide the vendor representative with a list of follow-up questions to help clarify their description of vendor security controls.
If this approach does not result in a complete set of responses, ISO will occasionally request a conference call meeting with the vendor's technical staff to address questions directly.
1 - 2 weeks
ISO Assessment and Report
ISO analysts will review the final set of responses to identify any gaps in the vendor's capacity to meet MSSEI requirements. Where gaps are present, the ISO analyst will assess the risk those gaps represent in light of other security controls and mitigating factors.
The final deliverable from ISO will be a risk assessment report, with risk ratings for each finding, recommendations for remediation, and an overall report rating
1 - 2 weeks
The risk severity of security control gaps discovered during an assessment will be rated according to the table below. Risk severity is determined based upon the estimated technical and business impact of the control gap, and on the estimated likelihood of the gap being exploited:
Below is a list summarizing factors by which a risk may be classified:
- Critical risk control gaps have both a high impact and a likelihood of damage to the University.
- A finding with a high-risk rating indicates a strong likelihood that the gap in security controls can be exploited by malicious users and lead directly to a compromise of covered data.
- A medium severity risk rating is applied when the impact of a security control gap is high, but because of other mitigating factors, the opportunity to exploit this control gap is low.
- A low-risk rating is reserved for findings that require malicious users to possess special skills or access that are otherwise not easily acquired, and when the impact does not significantly compromise the security of covered data.
- Findings that have been rated "For Information Only" are also risks with low impact and likelihood, but do not correspond to any current UC Berkeley policy or other regulatory requirements.
Overall Report Rating
Campus units receive an overall report with a "Recommend" or "Not Recommend" rating for service providers, based upon the vendor's ability to adequately secure Protection Level 2 data. A "Not Recommend" rating is issued when a service or product does not adhere to campus security policies.
The following risk ratings will result in an automatic "Not Recommend" rating:
- Any Critical or High-risk findings. These findings are deemed to have a high likelihood of being exploited and a high business impact for the University.
- Multiple Medium or Low-risk findings that create a Critical or High-risk when leveraged together by attackers.
Service providers with a VSAP report "Not Recommend" rating need to either:
- Negotiate contract provisions with the vendor to mitigate or remediate the control gaps
- Find another qualified vendor to perform the service, or
- Change the hosting requirements so as not to include covered data
UCOP Data Security & Privacy Appendix
In addition to receiving a "Recommend" rating, for all UC contracts involving third-party access to covered data, the University of California Office of the President (UCOP) requires the inclusion of the Data Security and Privacy Appendix. The appendix establishes baseline protection for the University in the event of a data breach.
Campus units that engage with service providers to handle covered data must ensure the appendix is included in new contracts without edits.
Frequently Asked Questions
- What is a "vendor"?
- What is the purpose of the Vendor Security Assessment Program?
- Who needs to be involved in a vendor security assessment?
- Are vendor services available that have already been assessed?
- I have PL1 data, what do I do?
- The contract has already been signed, what do I do?
- The Data Security & Privacy Appendix was not included in the vendor contract, what do I do?
- How do I get started?
*Note: MSSEI policy also pertains to service providers handling Protection Level 1 (PL1) data. Application owners are responsible for ensuring that vendors handling PL1 data meet MSSEI requirements in the absence of available ISO assessment resources.