The Information Security Office (ISO) offers a Vendor Security Assessment Service for Supplier contracts that involve Supplier access to UC systems or to data classified at Protection Level P3 or P4. UC system-wide policy requires that Suppliers (aka “vendors”) comply with the UCOP Appendix Data Security (DS) by addressing campus policy and regulatory requirements (e.g., FERPA, GDPR, HIPAA) in a detailed security plan.
The ISO Security Assessments Team will review the plan for compliance with the Appendix DS requirements and relevant laws or regulations, to identify any gaps, and will provide a recommendation report to help the requester and Buyers assess vendor risk.
How to Get Started
Review the Details of the Vendor Security Assessment Service page.
You will need the following information:
- Name of requesting Unit
- Project Lead contact information
- UC Provisioning Representative contact information (if applicable)
- Name of third-party vendor/product/service
- Service description
- Requested deadline for completion of the assessment
- NOTE: Typical turnaround for a vendor security assessment is 4-8 weeks. Please plan accordingly.
You will need the following documents:
- The Supplier security plan, along with any supporting documentation, e.g., SOC report, certifications, PCI DSS attestation of compliance (AOC)
- A copy of the UCOP Appendix Data Security with the “Exhibit 1 - Institutional Information” section completed
- Copies of the contract Terms & Conditions and/or Statement of Work (optional)
Once you’ve gathered the required information, please submit it using this Google Form:
Please allow four to eight weeks for a Vendor Security Assessment to be completed. Time to completion of the Vendor Security Assessment will vary depending on assessment team workload, risk, and vendor response time.
Request a Vendor Security Assessment (form requires CalNet login)
If you have any questions about vendor security assessments, you may create a ServiceNow ticket by emailing email@example.com.