Details of the Vendor Security Assessment Service

Overview

The Information Security Office (ISO) offers a Vendor Security Assessment Service for Supplier contracts that involve Supplier access to UC systems or to data classified at Protection Level P3 or P4.  UC system-wide policy requires that Suppliers (aka “vendors”) comply with the UCOP Appendix Data Security (DS) by addressing campus policy and regulatory requirements (e.g., FERPA, GDPR, HIPAA) in a detailed security plan.  

The ISO Security Assessments Team will review the plan for compliance with the Appendix DS requirements and relevant laws or regulations, to identify any gaps, and will provide a recommendation report to help the requester and Buyers assess vendor risk.

Ideally, the assessment takes place before the vendor service contract is finalized, to ensure that the service meets campus policy and for an opportunity to negotiate additional contract provisions with the vendor to address any gaps if necessary.

A typical Vendor Security Assessment evaluation takes two to eight weeks. 

Roles & Responsibilities

The campus roles that typically participate in a vendor security assessment include the following:

IT Resource Proprietor or Implementation Project Manager

Campus Unit representative who has overall responsibility for the application (e.g., budgeting and resource allocation), or Unit member responsible for the roll-out of the application or service, including vendor selection, contract specifications, configuration, personnel training, etc.  Either one of these roles may be involved in the vendor assessment and contract process.  The person in one of these roles will often handle communication with the UC Buyer/Procurement and the Supplier.

UC Buyer or Procurement Representative

Representative in the UC Procurement department responsible for the vendor contract negotiation.

ISO Analyst

A member of the ISO Security Assessments Team assigned as the primary analyst responsible for the engagement with the Unit.

Process

Phase

Activities

Estimated Time Required

Buyer submits documentation to ISO

Before a vendor assessment can be initiated, the Buyer or Procurement Representative must provide the following documentation to the ISO Assessments team (security@berkeley.edu):

  • The Supplier security plan, along with any supporting documentation, e.g., SOC report, certifications, PCI DSS attestation of compliance (AOC)

  • A copy of the UCOP Appendix Data Security with the “Exhibit 1 - Institutional Information” section completed*

  • Copies of the contract Terms & Conditions and/or Statement of Work (optional)

*See details below for completing Exhibit 1.

Assessment is initiated when documents are received

Additional Vendor Security Questionnaire for High Risk Contracts

For all contracts involving P4 data, and for enterprise-wide contracts involving P3 data, an additional vendor security questionnaire is required.  ISO uses the HECVAT (Higher Education Community Vendor Assessment Toolkit) questionnaire, a list of 300+ security questions developed by members of the Educause community, as the framework for the assessment.

The ISO Assessment Team assigns the HECVAT questionnaire to the vendor using an online survey application, Isora GRC.  The time it takes for a vendor to complete the survey is generally two to four weeks.

2 - 4 weeks

ISO Assessment and Report

ISO Assessment team analysts will review the vendor security plan, along with the HECVAT survey responses (if required), to determine compliance with UC Appendix DS and regulatory requirements.

The final deliverable from ISO will be a risk assessment report with an Overall Report Rating and recommendations for remediation of any gaps.

2 - 4 weeks

Appendix Data Security - Exhibit 1

The vendor security plan cannot be reviewed without the accurate completion of the Appendix DS Exhibit 1, which identifies the Protection Level of the data along with regulatory requirements.

Here is an example Appendix DS:

For help with classifying  the Protection Level of the data to be handled by the Supplier, please refer to the UC Berkeley Data Classification Standard.  

For questions regarding Privacy regulations under Exhibit 1 Section 3 (Institutional Information Regulation or Contract Requirements), contact the Privacy Office at privacyoffice@berkeley.edu

For questions about Data Security regulations, please contact ISO at security@berkeley.edu

Example showing P3 student data

 

Overall Report Rating

Each vendor assessment report will receive a "Recommend" or "Not Recommend"  overall rating based upon evidence of the vendor's ability to adequately secure campus data.  A "Not Recommend" rating is issued when the vendor security plan does not provide sufficient protections to address Supplier risk.

For Suppliers with an ISO security report rating of "Not Recommend", the Resource Proprietor, Project Manager, and/or Buyer will need to either:

  • Negotiate contract provisions with the vendor to mitigate or remediate the control gaps

  • Find another qualified vendor to perform the service

  • Change the hosting requirements so as not to include Protected Data, or

  • Request an exception from ISO

Recommendations

In addition to the Overall Report Rating, ISO will provide specific recommendations for addressing any compliance issues with the Appendix DS requirements.  These recommendations often suggest additional provisions to the contract Terms & Conditions.  It is up to the Resource Proprietor, Project Manager, and/or Buyer to determine if these additional contract provisions are relevant to the purchase and to work with the vendor to have them added if necessary.

Supplemental Information

The Vendor Assessment Review Matrix lays out requirements needed for a successful Vendor Assessment review based on the level of Protected Data. 

Support

For support or questions about the Vendor Security Assessment Service, email security@berkeley.edu.

Frequently Asked Questions