Vendor Risk Assessment Guidance and Process

The purpose of the VRA is to reduce risk and verify compliance with UC Policy.

When is a VRA required?

Anytime we use or purchase computer software or a cloud based service that will include data entered by UC Davis staff. 

A vendor risk assessment allows departments to review the vendor’s security program, determine the level of risk to UC Davis data and/or systems, and identify specific gaps the vendor or department may need to address through action or contracts. A VRA is required to comply with IS-3 policy requirement 12.2.1, which formalizes the requirement that a risk assessment be completed when contracting for a third-party provided service that will handle UC Davis information, or otherwise potentially impact the security of UC Davis. The minimum requirement as it relates to contracting for third-party provided services calls for risk assessments of Cloud and Supplier services for Institutional Information classified at Protection Level 2 or higher.

In addition to receiving a conforming opinion from the security analyst and risk acceptance from the department head, the University of California Office of the President (UCOP) requires the inclusion of the Data Security and Privacy Appendix for all UC contracts involving third-party access to covered data. The appendix establishes baseline protection for the university in the event of a data breach. Campus units that engage with service providers to handle covered data must ensure the appendix is included in new contracts.