Vendor Risk Assessments
The IS-3 Electronic Information Security policy requires all software vendors (suppliers) to undergo thorough scrutiny to mitigate security risks. ANR has implemented a Vendor Risk Assessment process to comply with this policy. This helps us identify and address potential security vulnerabilities associated with third-party software vendors.
I want to use new software. Do I need a VRA?
It depends on your use case. The IS-3 policy mandates risk assessments when vendors handle information classified as P2 or higher (see Section 6.1.1 Risk Assessments).
If your unit has a Unit Information Security Lead (UISL), ask them for help identifying the information protection level of your use case. If it's P1, then a VRA is not required. Otherwise, submit a VRA request, and ANR IT will help you classify the information and perform the VRA if needed.
How do I submit a VRA request?
Submit a Vendor Risk Assessment Initiation Request.
Please allow a few weeks, just to be safe. We have approximately one person working on all the VRAs that come in.
How long will it take?
P1 or P2 VRAs may take up to several days. (Read more about P-levels at the end of this page.)
Please allow several weeks to months for P3 or P4 VRAs. This is because we have to gather security documentation from the vendor and gain a general understanding of the vendor's reputation and information security risk. Please submit these requests well ahead of time!
What about AI-enabled tools?
In addition to your VRA request, please also contact HR and IT to submit an AI Project Request Form as described in our Guidelines for AI Tools.
What about tools already in use at another UC campus?
ANR IT usually performs our own risk assessments, regardless of whether other campuses use a given product.
The exceptions are vendors that have systemwide agreements with the University of California. Here are some of those vendors, from UC Davis Cloud Storage Options:
- Microsoft OneDrive: Approved for P4
- Box.com: Approved for P3
- Google Drive: Approved for P2
How do I use the VRA approved list?
The VRA approved list shows what P-levels we've approved different vendors for. This may help you estimate VRA turnaround time. The approved list also allows BOC/SWPR to ensure software has been approved by ANR IT before they purchase it. However, the list does not provide blanket software approval. Every use case needs its own VRA because the information involved is different.
Each software product on the list contains the following information:
- Vendor Name / Service
- Status
- If "Complete" or "No Assessment Required", then the tool has previously been approved for its associated P-level.
- If "Contact ANR IT", then submit a new VRA request and explain your use case.
- Reassessment Date: The date when the approval expires. Submit new VRA requests well in advance of this deadline.
- Approved Data Protection Level: The level of data protection for which the vendor has been approved (P1, P2, P3, P4). See below for details.
- Agreement Number: The ANR agreement number for the vendor, if applicable.
Sample situations
Please note that these examples are not necessarily currently approved products.
Q: I want to use Canva to design marketing materials. Do I need a VRA?
A: Marketing is public (P1), so no VRA is needed unless you want BOC to purchase it.
Q: I want ChatGPT to help me edit public blog posts. Do I need a VRA?
A: Blog posts are public (P1), so no VRA is needed unless you want BOC to purchase it. Because of the ANR Principles of Community (particularly Integrity and Transparency) and the UC Responsible AI Principles (particularly Transparency, Accuracy, and Fairness), you should always fact-check AI content, as well as acknowledge AI use.
Q: Do I need a VRA to ask ChatGPT to help me with data analysis?
A: If the data is public (P1), then no VRA is needed. If the data is unpublished (P2), then you can substitute fake data that looks similar, and then no VRA is needed. However, if you need to use your real data, you will need a VRA and an AI Project Request Form.
Q: Do I need a VRA for Proton Calendar if Proton Mail, which is created by the same vendor, is already approved?
A: Yes, because the data involved might be different.
Q: My VRA for Obsidian is about to expire, but my use case hasn't changed. Do I need a new VRA?
A: Yes, because Obsidian's security practices may have changed.
What are information protection levels (P1, P2, P3, P4)?
The UC has defined four information protection levels, or P-levels, to classify different types of information by their sensitivity:
| P1: Public. Disclosure is not a problem. The main concern is unwanted modification. | Public research data, press releases, marketing materials, hours of operation, etc. No VRA needed, unless you need BOC to purchase it. |
| P2: Internal. Disclosure or modification could lead to minor damage, financial loss, or privacy impact. | Unpublished research work, most meeting notes, routine business records and emails, etc. A VRA is required (IS-3 Section 6.1.1 Risk Assessments). |
| P3: Proprietary. Disclosure or modification could result in moderate fines or damage. | Large sets of personally identifiable information, UC personnel records, IT security information, etc. A VRA is required (IS-3 Section 6.1.1 Risk Assessments). |
| P4: Statutory. Disclosure or modification could result in significant penalties. | Large sets of comprehensive personally identifiable information, date of birth + full name, credit card information, health information, financial accounting and payroll information, etc. A VRA is required (IS-3 Section 6.1.1 Risk Assessments). |
Note: When your data is stored locally but not uploaded to the cloud, no VRA is needed. Some common examples include programs that perform data analysis locally on your machine.
How do VRAs fit in to the procurement process?
Here's how procurement works (note that VRA approval is only one of the approvals required):
- You pick a software product with the help of your unit head (and Unit Information Security Lead).
- You submit a VRA request to UCANR IT.
- IT sends you a VRA report containing some recommendations, which your unit head signs. Filename format: “VRA_LinkedInLearning_HR_202604.pdf”.
- For AI tools, you also submit an AI Project Request Form to HR and IT. Read more at Guidelines for AI Tools.
- IT adds the software to the approved list. At this point, the VRA is finished.
- If the request is for a software service (not a software product), you submit a Request for Contracting Out Services Form to HR.
- You submit a Data and Technology Assessment Form to UC Davis. The Data and Technology Assessment Form replaces the Software Related Services (SRS) form that was previously required.
- You submit your PO to BOC/SWPR.
- BOC/SWPR makes sure the product is on the approved list, and then they send your PO to the UC Davis procurement team. BOC/SWPR provides you with a PO number.
- UC Davis makes sure you signed the Data and Technology Assessment Form, and then they purchase the product on your behalf.
Resources
- Vendor Risk Assessment Initiation Request (requires UCANR login)
- VRA approved list (requires UCANR login)
- BFB-IS-3: Electronic Information Security
- Classification of Information and IT Resources
- UC Protection Level Classification Guide
- Guidelines for AI Tools
- UC AI Working Group Report
- Supplier Risk Management VRA Process Explained (UC Davis)
- Vendor Risk Assessment Guidance and Process (UC Davis)
- UC Davis Cloud Storage Options (UC Davis)
UC Davis VRA assessed list (requires UC Davis login)