Provide Important Information to Initiate the Process (Data Classification, Role of IT Resource Proprietor, Project Manager, or End-User Requestor)
Determine the Applicable Data Classification and Protection Level Requirements
Software as a service (Saas) and cloud computing service providers must provide commercially acceptable cybersecurity and cyber risk management plans to protect Institutional Information and/or IT Resources when providing its services to UC. Suppliers should provide their data security management plans prior to beginning services that include a well-developed business interruption and disaster recovery program, assurances their products are not susceptible to errors, failures, or vulnerabilities, and that they abide by any applicable regulatory requirements for electronic records security compliance.
Additionally, Suppliers must obtain, keep in force, and maintain cyber liability insurance coverages when they will create, maintain, transmit or store Institutional Information on behalf of UC.
The Department's IT Resource Proprietor, Implementation Project Manager and/or Data Security Subject Matter Experts (SMEs), are responsible for determining the Protection Level when a Supplier has access to UC Institutional Information and/or IT Resources prior to beginning services with a software and cloud computing service provider.
Protection Levels
UC Institutional Information and IT Resources are classified into one of four Protection Levels based on the level of concern related to confidentiality and integrity. P4 requires the most security controls and P1 requires a minimum set of security controls.
Please see the following webpage for Protection Level information: https://security.berkeley.edu/data-classification-guideline
Need Assistance?
If you're unsure about the Protection Level of your data, contact the ISO Vendor Assessment Team at security-assessments@berkeley.edu with questions. After the IT Security reviews your questions, you may receive a response that indicates if a Vendor Security Assessment is or is not required.
If no assessment is required, attach that email response to your BearBuy requisition when purchasing software or cloud computing services.
If a risk assessment is required, complete the assessment before you submit your requisition in BearBUY. Attach the Risk Assessment Report as an internal attachment to your requisition once your department has obtained the completed Report by ISO.
Other Useful References
For more information on the assessment process, including how to request an assessment, what supporting documents are required, and what to expect during the process, please visit the Details of the Vendor Security Assessment Service page.