Vendor Security Assessment Service


The Information Security Office (ISO) offers a Vendor Security Assessment Service for Supplier contracts that involve  Supplier access to UC systems or to data classified at Protection Level P3 or P4.  UC system-wide policy requires that Suppliers (aka “vendors”) comply with the UCOP Appendix Data Security (DS) by addressing campus policy and regulatory requirements (e.g., FERPA, GDPR, HIPAA) in a detailed security plan.  

The ISO Security Assessments Team will review the plan for compliance with the Appendix DS requirements and relevant laws or regulations, to identify any gaps, and will provide a recommendation report to help the requester and Buyers assess vendor risk.

How to Get Started

Review the Details of the Vendor Security Assessment Service and then send a request email to  Please include the following information:

  • Name of requesting Unit
  • Project Lead contact information
  • UC Provisioning Representative contact information (if applicable)
  • Name of third-party vendor/product/service
  • Service description
  • Requested deadline for completion of the assessment

Please attach a copy of the following documents:

  • The Supplier security plan, along with any supporting documentation, e.g., SOC report, certifications, PCI DSS attestation of compliance (AOC)
  • A copy of the UCOP Appendix Data Security with the “Exhibit 1 - Institutional Information” section completed
  • Copies of the contract Terms & Conditions and/or Statement of Work (optional)

Service Details and Additional Information

Service category