If the Information Security Office determines a Vendor Risk Assessment is not required for a cloud based service, users must still adhere to specific guidance, provided below.

This guidance may be updated. Please check back often.

  • Access the UC Davis VRA program to verify whether the cloud solution needs a Vendor Risk Assessment.
  • Ensure the contract has Appendix DS attached. If the vendor declines, seek guidance on risks posed by the lack of contractual commitments from the vendor.
  • Establish a responsibility matrix with the vendor, clarifying user and vendor responsibilities.
  • Maintain the contract to ensure timely renewal, with sufficient time for VRA updates, if needed.
  • Access the cloud hosted service only from productivity devices that meet or exceed the IS-3 minimum security standard.
  • Provide secure use training or documentation to users.
  • Use supported and patched browsers.
  • Avoid accessing services for which the vendor allows use of insecure protocols, such as SSL 1.0.
  • Be aware that browsers cache information, and sensitive data may end up on user workstations where it may not be approved.
  • Log out of cloud hosted services and close out the browser.
  • Clear cache for additional protection.
  • Access cloud hosted services through verified URLs, rather than by searching for them and clicking on URLs that search engines display.
  • Ensure that data that is entered into the cloud hosted service does not exceed the approved data sensitivity.
  • Advise users about who is, and who is not authorized to agree to click-through agreements on-line.
  • Be aware of imitation websites that may trick users into thinking they are using the legitimate website.
  • Retain awareness about when a cloud hosted service connects the user to a different service provider that may have a lower commitment to security or privacy.
  • Monitor news sources about the cloud hosted service to become aware in a timely manner if the service experiences security issues or a compromise.
  • Never enter passwords or sensitive information unless a secure session is established (HTTPS).
  • Do not ignore certificate errors or warnings. Back out and do not proceed if you receive such warnings.
  • Use a unique and strong password for each online service, that you do not use for other purposes.
  • Enable multi-factor authentication, if available.
  • Check periodically log files or historical screens to ensure your account is not being used by unauthorized persons, or at times when you were not logged in.
  • Seek confirmation that the service has been vetted, at minimum, for the OWASP Top Ten security issues. 
  • Be aware of cloud hosted services that are hosted from, or store your data outside of the United States, to determine whether that presents any contractual, privacy or compliance risks.

Public Information Search

General web search

  • Vendor name breach
  • Product/service name vulnerability
  • Vendor name litigation 
  • Vendor name lawsuit

California Attorney General website search

  • Vendor name 
  • Product/service name

California Secretary of State website search

  • Vendor name 
  • Product/service name

SSL Labs Scan of service

Wiki Leaks

CVE Details

  • Cvedetails.com/vendor
  • Cvedetails.com/products

REN-ISAC Website: Does a HECVAT already exist?