When a Vendor Risk Assessment is not required, but third-party software is installed and used on UC Davis Computers, follow the guidance outlined below.
Guidance for service coordinators of single computer software provisioning
- Ask the application provider to confirm that the software is developed using secure development methods, and checked for vulnerabilities and back doors prior to being promoted into production.
- Ask the service provider whether any part of the software is developed and/or supported by persons outside of the United States.
- Confirm with the service provider that no cloud component or connection to the Internet is involved in operating this software.
- Document any concerns you discover, such as the software being developed outside of the United states, and discuss them with your Unit Head and the ISO to inform risk acceptance decisions.
Guidance for persons using the software
- Review the Privacy Policy on the service provider’s website, if purchasing of the software requires you to enter information on that website.
- Look for security documentation on the website. Typically, it is toward the bottom of the primary web page where you find the Privacy Policy, the “About” link, etc. If no info is available, check for history of CVE vulnerabilities.
- Review the data classification standard at https://security.ucop.edu/policies/institutional-information-and-it-resource-classification.html. The guide that is posted there is particularly helpful.
- Confirm that the data that will be involved in this service/application does not exceed the P2 level, as defined in the standard.
- Compare checksums, if available, to ensure that the downloaded software was not maliciously modified
- Ensure that you are downloading the software from a reputable source, rather than a link that is found by just searching for the software.
- Scan the installation files for malware before installing them.
- Install the software onto a computer that is securely maintained following the minimum security standard posted at, https://security.ucop.edu/policies/security-controls-everyone-all-devices.html
- Avoid installing the software onto a computer that contains or accesses highly sensitive information, such P3 student records or P4 medical information and SSNs.
- Confirm whether it is correct that if this software caused a compromise of your data or computer, such as premature release of the data to unauthorized viewers or malicious access to the computer, that you, the university, and the university community and its colleagues will not be significantly harmed.
Revision date 10/30/2020