Vendor Security Assessment Service

Overview

The Information Security Office (ISO) offers a Vendor Security Assessment (VSA) Service for Vendor contracts that involve Vendor access to UC systems or to data classified at Protection Level P3 or P4. The purpose of the VSA Service is to determine whether the Vendor’s security plan is adequate to safeguard UC systems and data. At the conclusion of the service, a report will be provided to the requesting party including an overall risk rating, risks, and recommendations. A typical VSA takes 4 - 6 weeks to complete starting from the date the Vendor has provided all the information requested to perform the VSA. Please plan accordingly.

Roles and Responsibilities

The campus roles that typically participate in a VSA include the following:

Requester	The Requester is responsible for: Filling out the VSA form Managing the relationship with the Vendor; including coordinating and communicating with the Vendor to ensure ISO and Venminder have all information required to complete the VSA. Responding to questions that arise during the VSA. The Requester should possess a sufficient understanding of the Vendor’s service and the Unit’s use case in order to respond to questions that may arise during the VSA. Informing and coordinating with the Unit Information Security Lead (UISL) and Unit Head to decide how risks identified in the report should be managed; It’s rare that a VSA contains no security concerns.
Buyer	Representative in the UC Procurement department responsible for the Vendor contract negotiation.
ISO Analyst	A member of the ISO Security Assessments Team assigned as the primary analyst responsible for the engagement with the Unit. The ISO Analyst will review the vendor’s security plan and will provide the Requestor with a report including an overall risk rating, risks, and recommendations.
Venminder	ISO has contracted Venminder to perform information security assessments of vendors on ISO’s behalf.

How to Get Started

Gather the following information from the Vendor (see FAQ):
- Vendor contact information (name, title, email address, and phone number)
- Name of third-party Vendor and the product/service being purchased
- Vendor’s SOC 2 Type II report (if available)
- PCI DSS compliance documentation such as a Self-Assessment Questionnaire (SAQ), Attestation of Compliance (AOC), and supporting policies) (if applicable)
Gather the following information:
- Name of requesting Unit
- Requester’s contact information (name, title, email address)
- Buyer’s contact information (name, email address)
- Description of the proposed use of the Vendor’s product/service
Complete the Appendix DS Exhibit 1. Consult with the Privacy Office if you need assistance with completing Appendix DS Exhibit 1.
Work with your Buyer to:
- Determine the Vendor’s willingness to accept all terms in the Appendix DS without modification.
- Determine whether the Vendor carries adequate cybersecurity insurance.
- Submit your BearBUY requisition.
Complete and submit the Request a Vendor Security Assessment form (requires CalNet login).
Please inform the Vendor that a representative from Venminder may be reaching out to them to conduct an assessment on UC Berkeley’s behalf.

If you have any questions about VSAs, please email security-assessments@berkeley.edu

Frequently Asked Questions

Additional Information

Appendix Data Security - Exhibit 1

The vendor security plan cannot be reviewed without the accurate completion of the Appendix DS Exhibit 1, which identifies the Protection Level of the data along with regulatory requirements.

Here is an example Appendix DS:

For help with classifying the Protection Level of the data to be handled by the Supplier, please refer to the UC Berkeley Data Classification Standard.

For questions regarding Privacy regulations under Exhibit 1 Section 3 (Institutional Information Regulation or Contract Requirements), contact the Privacy Office at privacyoffice@berkeley.edu.

For questions about Data Security regulations, please contact ISO at security@berkeley.edu.