Overview
The Information Security Office (ISO) offers a Vendor Security Assessment Service for Supplier contracts that involve Supplier access to UC systems or to data classified at Protection Level P3 or P4. UC system-wide policy requires that Suppliers (aka “vendors”) comply with the UCOP Appendix Data Security (DS) by addressing campus policy and regulatory requirements (e.g., FERPA, GDPR, HIPAA) in a detailed security plan.
The ISO Security Assessments Team will review the plan for compliance with the Appendix DS requirements and relevant laws or regulations, to identify any gaps, and will provide a recommendation report to help the requester and Buyers assess vendor risk.
Ideally, the assessment takes place before the vendor service contract is finalized, to ensure that the service meets campus policy and for an opportunity to negotiate additional contract provisions with the vendor to address any gaps if necessary.
A typical Vendor Security Assessment evaluation takes four to eight weeks.
Roles & Responsibilities
The campus roles that typically participate in a vendor security assessment include the following:
|
IT Resource Proprietor or Implementation Project Manager |
Campus Unit representative who has overall responsibility for the application (e.g., budgeting and resource allocation), or Unit member responsible for the roll-out of the application or service, including vendor selection, contract specifications, configuration, personnel training, etc. Either one of these roles may be involved in the vendor assessment and contract process. The person in one of these roles will often handle communication with the UC Buyer/Procurement and the Supplier. |
|
UC Buyer or Procurement Representative |
Representative in the UC Procurement department responsible for the vendor contract negotiation. |
|
ISO Analyst |
A member of the ISO Security Assessments Team assigned as the primary analyst responsible for the engagement with the Unit. |
Process
|
Phase |
Activities |
Estimated Time Required |
|
Buyer submits documentation to ISO |
Before a vendor assessment can be initiated, the Buyer or Procurement Representative must provide the following information and documents to the ISO Assessments team using the Request a Vendor Security Assessment form (requires CalNet login). Information:
Documents:
*See details below for completing Exhibit 1. |
Assessment is initiated when documents are received |
|
Additional Vendor Security Questionnaire for High Risk Contracts |
For all contracts involving P4 data, and for enterprise-wide contracts involving P3 data, an additional vendor security questionnaire is required. ISO uses the HECVAT (Higher Education Community Vendor Assessment Toolkit) questionnaire, a list of 300+ security questions developed by members of the Educause community, as the framework for the assessment. The ISO Assessment Team assigns the HECVAT questionnaire to the vendor using an online survey application, Isora GRC. The time it takes for a vendor to complete the survey is generally two to four weeks. |
2 - 4 weeks |
|
ISO Assessment and Report |
ISO Assessment team analysts will review the vendor security plan, along with the HECVAT survey responses (if required), to determine compliance with UC Appendix DS and regulatory requirements. The final deliverable from ISO will be a risk assessment report with an Overall Report Rating and recommendations for remediation of any gaps. |
2 - 4 weeks |
Appendix Data Security - Exhibit 1
The vendor security plan cannot be reviewed without the accurate completion of the Appendix DS Exhibit 1, which identifies the Protection Level of the data along with regulatory requirements.
Here is an example Appendix DS:For help with classifying the Protection Level of the data to be handled by the Supplier, please refer to the UC Berkeley Data Classification StandardFor questions regarding Privacy regulations under Exhibit 1 Section 3 (Institutional Information Regulation or Contract Requirements), contact the Privacy Office at privacyoffice@berkeley.edu. For questions about Data Security regulations, please contact ISO at security@berkeley.edu. |
 |
Overall Report Rating
Each vendor assessment report will receive a "Recommend" or "Not Recommend" overall rating based upon evidence of the vendor's ability to adequately secure campus data. A "Not Recommend" rating is issued when the vendor security plan does not provide sufficient protections to address Supplier risk.
For Suppliers with an ISO security report rating of "Not Recommend", the Resource Proprietor, Project Manager, and/or Buyer will need to either:
-
Negotiate contract provisions with the vendor to mitigate or remediate the control gaps
-
Find another qualified vendor to perform the service
-
Change the hosting requirements so as not to include Protected Data, or
Recommendations
In addition to the Overall Report Rating, ISO will provide specific recommendations for addressing any compliance issues with the Appendix DS requirements. These recommendations often suggest additional provisions to the contract Terms & Conditions. It is up to the Resource Proprietor, Project Manager, and/or Buyer to determine if these additional contract provisions are relevant to the purchase and to work with the vendor to have them added if necessary.
Support
For support or questions about the Vendor Security Assessment Service, you may create a ServiceNow ticket by emailing security-assessments@berkeley.edu