Vendor Risk Assessments
The IS-3 Electronic Information Security policy requires all software vendors (suppliers) to undergo thorough scrutiny to mitigate security risks. ANR has implemented a Vendor Risk Assessment process to comply with this policy. This helps us identify and address potential security vulnerabilities associated with third-party software vendors.
I want to use some software. Do I need a VRA?
Almost certainly yes. The IS-3 policy mandates risk assessments when vendors handle information classified as P2 or higher (see Section 6.1.1 Risk Assessments). Submitting a VRA request is the best way to verify whether your use case is P2 or higher.
If your unit has a Unit Information Security Lead (UISL), ask them for help identifying the information protection level of your use case. Otherwise, submit a VRA request, and ANR IT will classify the information protection level and perform the VRA.
I want to purchase software services. Do I need a VRA?
Yes, submit a VRA request here. You will also need to submit a Contracting Out Services form to HR.
Common examples of software services include desktop IT support and printing services performed by third-party vendors.
How do I submit a VRA request?
Submit a Vendor Risk Assessment Initiation Request.
Please allow a few weeks, just to be safe. We have approximately one person working on all the VRAs that come in.
How long will it take?
P1 or P2 VRAs may take up to several days. (Read more about P-levels at the end of this page.)
Please allow several weeks to months for P3 or P4 VRAs. This is because we have to gather security documentation from the vendor and gain a general understanding of the vendor's reputation and information security risk. Please submit these requests well ahead of time!
What about AI-enabled tools?
Submit both a VRA request and an AI Project Request Form, as described in our Guidelines for AI Tools. For now, you'll need to contact HR and IT directly to receive the form.
What about tools already in use at another UC campus?
ANR IT usually performs our own risk assessments, regardless of whether other campuses use a given product.
The exceptions are vendors that have systemwide agreements with the University of California. Here are some of those vendors, from UC Davis Cloud Storage Options:
- Microsoft OneDrive: Approved for P4
- Box.com: Approved for P3
- Google Drive: Approved for P2
How do I use the VRA list?
The VRA list shows what P-levels we've assessed different vendors for. This may help you estimate VRA turnaround time. The VRA list also allows BOC/SWPR to ensure software has been assessed by ANR IT before they purchase it. However, the list does not provide blanket approval. Every use case needs its own VRA.
Each software product on the list contains the following information:
- Vendor Name / Service
- Status
- Reassessment Date: The date when the approval expires. Submit new VRA requests well in advance of this deadline.
- Approved Data Protection Level: The level of data protection for which the vendor has been approved (P1, P2, P3, P4). See below for details.
- Agreement Number: The ANR agreement number for the vendor, if applicable.
Sample situations
Please note that these examples are not necessarily currently approved products.
Q: I want to use Canva to design marketing materials. Do I need a VRA?
A: Marketing is public (P1), so no VRA is needed unless you want BOC to purchase it.
Q: I want ChatGPT to help me edit public blog posts. Do I need a VRA?
A: Blog posts are public (P1), so no VRA is needed unless you want BOC to purchase it. Because of the ANR Principles of Community (particularly Integrity and Transparency) and the UC Responsible AI Principles (particularly Transparency, Accuracy, and Fairness), you should always fact-check AI content, as well as acknowledge AI use.
Q: Do I need a VRA to ask ChatGPT to help me with research data analysis?
A: If the data is public (P1), then no VRA is needed. If the data is unpublished (P2), then you can substitute fake data that looks similar, and then no VRA is needed. However, if you need to use your real data, you will need both a VRA and an AI Project Request Form.
Q: Do I need a VRA for Proton Calendar if Proton Mail, which is created by the same vendor, is already approved?
A: Yes, because the data involved might be different.
Q: My VRA for Obsidian is about to expire, but my use case hasn't changed. Do I need a new VRA?
A: Yes, because Obsidian's security practices may have changed.
What are information protection levels (P1, P2, P3, P4)?
The UC has defined four information protection levels, or P-levels, to classify different types of information by their sensitivity:
| P1: Public. Disclosure is not a problem. The main concern is unwanted modification. | Public research data, press releases, marketing materials, hours of operation, etc. No VRA needed, unless you need BOC to purchase it. |
| P2: Internal. Disclosure or modification could lead to minor damage, financial loss, or privacy impact. | Unpublished research work, most meeting notes, routine business records and emails, etc. A VRA is required (IS-3 Section 6.1.1 Risk Assessments). |
| P3: Proprietary. Disclosure or modification could result in moderate fines or damage. | Large sets of personally identifiable information, UC personnel records, IT security information, etc. A VRA is required. |
| P4: Statutory. Disclosure or modification could result in significant penalties. | Large sets of comprehensive personally identifiable information, date of birth + full name, credit card information, health information, financial accounting and payroll information, etc. A VRA is required. |
Note: When your data is stored locally but not uploaded to the cloud, no VRA is needed. Some common examples include programs that perform data analysis locally on your machine.
Information protection level classification should be performed by trained individuals, either your UISL or members of ANR IT.
How do VRAs fit in to the procurement process?
Here's how procurement works:
- You pick a software product with the help of your unit head (and/or Unit Information Security Lead).
- You submit a VRA request to UCANR IT, answering some questions about your use case so the software can be assessed for information security.
- IT sends you a VRA report containing some recommendations, which your unit head signs. Filename format: “VRA_LinkedInLearning_HR_202604.pdf”.
- For AI tools, you also submit an AI Project Request Form to HR and IT. Read more at Guidelines for AI Tools.
- IT adds the software to the approved list. At this point, the VRA is finished.
- If the request is for a software service (not a software product), you submit a Request for Contracting Out Services Form to HR.
- You submit a Data and Technology Assessment Form to UC Davis, answering some questions about bulk data transfer and accessibility for compliance purposes. Your unit head will receive a link to sign the DTA form online. (The Data and Technology Assessment Form replaces the Software Related Services (SRS) form.)
- You submit your PO to BOC/SWPR.
- BOC/SWPR makes sure the product is on the VRA list, and then they send your PO to the UC Davis procurement team. BOC/SWPR provides you with a PO number.
- UC Davis makes sure you signed the Data and Technology Assessment Form, and then they purchase the product on your behalf.
Resources
- Vendor Risk Assessment Initiation Request (requires UCANR login)
- VRA approved list (requires UCANR login)
- BFB-IS-3: Electronic Information Security
- Classification of Information and IT Resources
- UC Protection Level Classification Guide
- Guidelines for AI Tools
- UC AI Working Group Report
- Supplier Risk Management VRA Process Explained (UC Davis)
- Vendor Risk Assessment Guidance and Process (UC Davis)
- UC Davis Cloud Storage Options (UC Davis)
UC Davis VRA assessed list (requires UC Davis login)