Details of the Vendor Security Assessment Program

Overview

With the Vendor Security Assessment Program (VSAP), ISP analysts engage with unit project managers, UC purchasing agents, and vendor representatives to evaluate the service providers' current security practices in comparison to the campus Minimum Security Standard for Electronic Information (MSSEI) policy.  The goal of this assessment is to identify any major gaps between vendor security controls and campus policy, to evaluate the level of risk these gaps represent, and to make recommendations to the unit as to how to address these risks. 

The VSAP service is usually initiated by a campus unit when seeking to contract a 3rd-party service that is known to involve the processing, storage, or transport of data that has been classified as Protection Level 2 by campus policy.*  The Implementation Project Manager or Campus Purchasing Agent will contact ISP in these instances to request VSAP services during the procurement process.

Ideally, the vendor security assessment takes place before the vendor service contract is finalized, to ensure that the service provides adequate protection by meeting campus policy.  This also allows for an opportunity to negotiate additional contract provisions with the vendor to address any gaps if necessary.

The typical engagement timeline for a VSAP evaluation is 4 to 8 weeks, depending upon the cooperation of the vendor.

Process

PhaseActivitiesEstimated Time Required

Vendor Security Assessment Questionnaire

The Vendor Security Assessment Questionnaire form, completed by a vendor representative, is central to the VSAP process.  The questions in the form align directly with each of the MSSEI requirements, with references to the requirement guidelines. 

The vendor representative is asked to describe the security controls currently in place within the service provider's operations that meet or exceed MSSEI requirements, including as much detail as necessary.

2 - 4 weeks

ISP Initial Review

ISP analysts will review the initial questionnaire responses and, in most cases, provide the vendor representative with a list of follow-up questions to help clarify their description of vendor security controls. 

If this approach does not result in a complete set of responses, ISP will occasionally request a conference call meeting with the vendor's technical staff to address questions directly.

1 - 2 weeks

ISP Assessment and Report

ISP analysts will review the final set of responses to identify any gaps in the vendor's capacity to meet MSSEI requirements.  Where gaps are present, the ISP analyst will assess the risk those gaps represent in light of other security controls and mitigating factors. 

The final deliverable from ISP will be a risk assessment report, with risk ratings for each finding, recommendations for remediation, and an overall report rating

1 - 2 weeks

Risk Ratings

The risk severity of security control gaps discovered during a vendor security assessment will be rated according to the table below. Risk severity is determined based upon the estimated technical and business impact of the control gap, and on the estimated likelihood of the gap being exploited:

[[{"attributes":{},"fields":{}}]]

Below is a list summarizing factors by which a risk may be classified:

  • Critical risk control gaps have both a high impact and likelihood of damage to the University. 
  • A finding with a high risk rating indicates a strong likelihood that the gap in security controls can be exploited by malicious users and lead directly to a compromise of covered data
  • A medium severity risk rating is applied when the impact of a security control gap is high, but because of other mitigating factors, the opportunity to exploit this control gap is low.  
  • A low risk rating is reserved for findings that require malicious users to possess special skills or access that are otherwise not easily acquired, and when the impact does not significantly compromise the security of covered data.
  • Findings that have been rated "For Information Only" are also risks with low impact and likelihood, but do not correspond to any current UC Berkeley policy or other regulatory requirements.

Overall Report Rating

Campus unit's receive an overall VSAP report "Recommend" or "Not Recommend" rating for service providers, based upon the vendor's ability to adequately secure Protection Level 2 data.  A "Not Recommend" rating is issued when a service or product does not adhere to campus security policies, in the absence of which a security incident could directly lead to a breach of covered data. 

The following risk ratings will result in an automatic "Not Recommend" rating:

  • Any Critical or High risk findings in the VSAP report will result in a "Not Recommend" rating. These findings are deemed to have a high likelihood of being exploited and a high business impact for the University.
  • Multiple Medium or Low risk findings that create a Critical or High risk when leveraged together by attackers.

Service providers with a VSAP report "Not Recommend" rating do not currently meet campus security policy requirements for hosting Protection Level 2 data on behalf of the University.  It is recommended that the campus unit either:

  • Negotiate contract provisions with the vendor to mitigate or remediate the control gaps
  • Find another qualified vendor to perform the service, or
  • Change the hosting requirements so as not to include covered data

UCOP Data Security & Privacy Appendix

In addition to receiving a "Recommend" vendor security assessment rating, for all UC contracts involving third-party access to covered data, the University of California Office of the President (UCOP) requires the inclusion of the Data Security and Privacy Appendix.  The appendix establishes baseline protection for the University in the event of a data breach. 

Campus units that engage with service providers to handle covered data must ensure the appendix is included in new contracts without edits.

Frequently Asked Questions

*Note:  MSSEI policy also pertains to service providers handling Protection Level 1 (PL1) data.  Application owners are responsible for ensuring that vendors handling PL1 data meet MSSEI requirements in the absence of available ISP assessment resources.