Step 3 - Supplier Security Assessment

The University of California (UC) Electronic Information Security policy (BFB IS-3), requires that systems that create, store, process or transmit data internally at UC or externally through a Supplier or other third party must be assessed for risk. When it involves P3 or P4 Institutional Information at UC Berkeley, a Vendor Security Assessment must be conducted. This applies to UC Berkeley data that contains, but is not limited to:

• Protected Health Information (PHI)
• Personally identifiable information (PII)
• Payment Card Industry (PCI) data
• Research Health Information (RHI)
• Family Educational Rights and Privacy Act (FERPA) data
• Other restricted or sensitive data

Part of what has been recognized in regards to cloud computing and software purchases is a particular exposure to contractual risk with such purchases. For example, it is quite common for such purchases to be accompanied by very easy-to-execute “click through” agreements, using Supplier terms and conditions.

“Click-through,” “shrink-wrap” and similar supplier terms/agreements may constitute legally binding agreements, binding UC to their terms.  Acceptance of such terms as written could expose the University to unacceptable and costly risks, including but not limited to being liable for using infringing software; being liable for third party acts or omissions (i.e., a direct violation of a UC Standing Order); HIPAA violations; possible mishandling of sensitive data; intellectual property concerns; and non-compliance with laws/regulations/policies of Federal, State, UC, funding agency entities.

Such "click-through" agreements for software or services available on the Internet are not approved by UCOP or UC Berkeley legal and procurement departments; moreover, only authorized individuals can enter into agreements for UC. Therefore, please avoid clicking-through on such agreements and instead please use the BearBUY Software and Cloud Computing form to engage SCM in finalizing your transaction, including agreement terms that are compliant with regulations, UC policies, etc.

Consider using any established UC agreements that could help determine your supplier selection, possibly improve product pricing, and offer better terms and conditions of sale. If you are using such an agreement please enter the contract information (title, reference, number, etc.) in the box under “Software Information and Justification” on the BearBUY Service form.

If you are purchasing a software product or a cloud service that creates, stores, processes, or transmits UC Berkeley data, a full security risk assessment will be required if it involves P3 or P4 data.  The Information Security Office's (ISO) Security Assessments Team will review the Supplier's data security plans for compliance with the Appendix - Data Security requirements and relevant laws or regulations, to identify any gaps, and will provide a recommendation report. 

To determine if a Vendor Security Assessment (details) must be a part of the procurement process, see The Vendor Assessment Review Matrix.

Documents required by ISO to conduct the Vendor Security Assessmentinclude:

• The Supplier security plan, along with any supporting documentation, e.g., SOC report, certifications, HEVCAT, PCI DSS attestation of compliance (AOC)

• A copy of the UCOP Appendix Data Security with the “Exhibit 1 - Institutional Information” section completed*

• Copies of the contract Terms & Conditions and/or Statement of Work 

• Please allow 4-8 weeks for a Vendor Security Assessment to be completed. Time to completion of the Vendor Security Assessment will vary depending on assessment team workload, risk, and vendor response time.