Vendor Risk Assessment (VRA) - Purchasing Software and IT Services

The UC-wide IS-3 IT security policy and UC Davis policy require that we complete a Vendor Risk Assessment (VRA) for any software or IT services that we use at UC Davis.

The goal of a VRA is to answer the question, Can we trust this software or cloud service with UC data?

As with all other aspects of IS-3, VRAs are risk-based: the level of risk is determined by the types of UC data that will be stored or processed, and the level of diligence in the process is scaled to match that data risk level.

  • For software and IT services that will be used with low-risk P1 (public) or P2 (internal) data, the VRA process can be completed by the LS IT team—usually within 3 business days. In many cases, we have previously vetted common software for blanket, automatic approval.
  • For software and IT services that will be used with medium-risk P3 (proprietary) or high-risk P4 (statutory) data, the VRA process is handled through the campus Information Security Office (ISO), which takes 2-9 months.
    • If you are working with sensitive P4 research data (e.g., identifiable human subjects data), FERPA-protected student data, large quantities of personally-identifiable information, data acquired from state or federal agencies that specifies security requirements, or other types of highly sensitive data, please plan around VRA delays in the purchasing process.

We have integrated the VRA process into our purchasing process—you do not need to separately request a VRA when purchasing software. When you request to purchase software or IT services through LS IT, we will guide you through the VRA process. In most cases, we'll respond with a short intake survey (~5 minutes to complete) to ask you to describe how you plan to use the software and the kinds of data you'll be working with.

One important note: you should never purchase software using personal funds and then expect reimbursement. Under policy, circumventing the UC Davis purchasing and VRA processes by purchasing on personal funds and requesting reimbursement means you will not be reimbursed. In some rare cases, reimbursement is the appropriate purchasing process, but a VRA needs to be completed before the purchase is made.

Just contact LS IT to start the process to purchase software or cloud services OR to request a VRA for any free/open open source software BEFORE you use it with university data.