Details of the Vendor Security Assessment Program


Information Security Office analysts engage with unit project managers, UC purchasing agents, and vendor representatives to evaluate the service provider's current security practices. Using the campus Minimum Security Standard for Electronic Information (MSSEI) policy, the analysts identify any major gaps between vendor security controls and campus policy, evaluate the level of risk these gaps represent, and make recommendations to the units.

The VSAP service is usually initiated by a campus unit seeking to contract a third-party service that is known to involve the processing, storage, or transport of UC P3 and UC P4 (formerly UCB PL2) data.*  The Implementation Project Manager or Campus Purchasing Agent will contact ISO in these instances to request VSAP services during the procurement process.

Ideally, the assessment takes place before the vendor service contract is finalized, to ensure that the service meets campus policy and for an opportunity to negotiate additional contract provisions with the vendor to address any gaps if necessary.

The typical engagement timeline for a VSAP evaluation is 4 to 8 weeks, depending upon the cooperation of the vendor.


PhaseActivitiesEstimated Time Required

Vendor Security Assessment Questionnaire

The Vendor Security Assessment Questionnaire form, completed by a vendor representative, is central to the VSAP process.  The questions in the form align directly with each of the MSSEI requirements, with references to the required guidelines. 

The vendor representative is asked to describe the security controls currently in place within the service provider's operations that meet or exceed MSSEI requirements, including as much detail as necessary.

2 - 4 weeks

ISO Initial Review

ISO analysts will review the initial questionnaire responses and, in most cases, provide the vendor representative with a list of follow-up questions to help clarify their description of vendor security controls. 

If this approach does not result in a complete set of responses, ISO will occasionally request a conference call meeting with the vendor's technical staff to address questions directly.

1 - 2 weeks

ISO Assessment and Report

ISO analysts will review the final set of responses to identify any gaps in the vendor's capacity to meet MSSEI requirements.  Where gaps are present, the ISO analyst will assess the risk those gaps represent in light of other security controls and mitigating factors. 

The final deliverable from ISO will be a risk assessment report, with risk ratings for each finding, recommendations for remediation, and an overall report rating

1 - 2 weeks

Risk Ratings

The risk severity of security control gaps discovered during an assessment will be rated according to the table below. Risk severity is determined based upon the estimated technical and business impact of the control gap, and on the estimated likelihood of the gap being exploited:

ASTP Risk Rating

Below is a list summarizing factors by which a risk may be classified:

  • Critical risk control gaps have both a high impact and a likelihood of damage to the University. 
  • A finding with a high-risk rating indicates a strong likelihood that the gap in security controls can be exploited by malicious users and lead directly to a compromise of protected data
  • A medium severity risk rating is applied when the impact of a security control gap is high, but because of other mitigating factors, the opportunity to exploit this control gap is low.  
  • A low-risk rating is reserved for findings that require malicious users to possess special skills or access that are otherwise not easily acquired, and when the impact does not significantly compromise the security of covered data.
  • Findings that have been rated "For Information Only" are also risks with low impact and likelihood, but do not correspond to any current UC Berkeley policy or other regulatory requirements.

Overall Report Rating

Campus units receive an overall report with a "Recommend" or "Not Recommend" rating for service providers, based upon the vendor's ability to adequately secure UC P3 and UC P4 (formerly UCB PL2) data.  A "Not Recommend" rating is issued when a service or product does not adhere to campus security policies.

The following risk ratings will result in an automatic "Not Recommend" rating:

  • Any Critical or High-risk findings. These findings are deemed to have a high likelihood of being exploited and a high business impact for the University.
  • Multiple Medium or Low-risk findings that create a Critical or High-risk when leveraged together by attackers.

Service providers with a VSAP report "Not Recommend" rating need to either:

  • Negotiate contract provisions with the vendor to mitigate or remediate the control gaps
  • Find another qualified vendor to perform the service, or
  • Change the hosting requirements so as not to include covered data

UCOP Data Security & Privacy Appendix

In addition to receiving a "Recommend" rating, for all UC contracts involving third-party access to covered data, the University of California Office of the President (UCOP) requires the inclusion of the Data Security and Privacy Appendix.  The appendix establishes baseline protection for the University in the event of a data breach. 

Campus units that engage with service providers to handle covered data must ensure the appendix is included in new contracts without edits.

Frequently Asked Questions

*Note:  MSSEI policy also pertains to service providers handling UC P2/P3 data (formerly UCB PL1).  Application owners are responsible for ensuring that vendors handling UC P2/P3 data (formerly UCB PL1) meet MSSEI requirements in the absence of available ISO assessment resources.