CAES Vendor Risk Assessment

After submitting the Vendor Risk Assessment (VRA) form, the email address provided during the process will receive a confirmation email that the assessment was received.


IMPORTANT: Before completing this form, you must complete a Protection Level Assessment.





Requestor Information

Please enter your first and last name

Enter your UC Davis email address.


NOTE: A copy of the request will be sent to this email address.

Enter a phone number you can be reached at.

Phone

Select your local IT Department from the list.

Select
Caret IconCaret symbol







Related Records

What is the Assessment ID (CAES-PLA-#####) for the Protection Level Assessment (PLA)?


IMPORTANT

BE SURE TO ENTER A FULL PLA ID, INCLUDING "CAES-PLA-"


IF A VALID PLA ID IS NOT PROVIDED, YOUR VENDOR RISK ASSESSMENT REQUEST WILL BE AUTOMATICALLY CANCELLED AND YOU WILL NEED TO RESUBMIT


If you are unsure what to enter here, you can search your email for "CAES-PLA-" or contact your local IT Department.

If you have already submitted one for this, what is the Exception Request ID (CAES-EXREQ-#####) for the CAES IS-3 Exception Request?


If you are unsure what to enter here, you can search your email for "CAES-EXREQ-" or contact your local IT Department.

Previous Vendor Risk Assessment (VRA) Renewal*

Is this Vendor Risk Assessment (VRA) Request a renewal to an existing/previousVendor Risk Assessment?

What is the Assessment ID (CAES-VRA-#####) for the previous Vendor Risk Assessment (VRA)?


If you are unsure what to enter here, you can search your email for "CAES-VRA-" or contact your local IT Department.

Vendor Risk Assessment (VRA) through Information Security Office (ISO)*

Have you already started, or completed, a Vendor Risk Assessment (VRA) through the Information Security Office (ISO)?

Please provide the ISO Led Vendor Risk Assessment (VRA) ID here (eg. INC####### or RITM#######).


If you are unsure what to enter here, you can search the My Stuff page of the UC Davis ServiceHub for Active or Closed Tickets related to the ISO VRA or contact your local IT Department.

Please provide the Box link to ISO VRA Report folder

Please provide the Box link to ISO VRA Departmental Response folder



Vendor Information

Please provide the name of the vendor, supplier, reseller, etc.

Please provide the name of the product, service, etc.

Example: https://www.box.com or www.box.com

Name of vendor contact


NOTE: The Vendor Risk Assessment may be delayed if we do not have the name of the vendor contact.

Email Address of vendor contact


NOTE: The Vendor Risk Assessment may be delayed if we do not have the email address of the vendor contact.

Phone Number of vendor contact


NOTE: The Vendor Risk Assessment may be delayed if we do not have the phone number of the vendor contact.

Phone

If the vendor contact at the phone number requires an extension, please provide it below






Use Case Information

Vendor Risk Assessment (VRA) Type*

This should be a short and concise Business Purpose, which will be used on the Supply Chain Management (SCM) Form required during procurement.

Please describe, in as much detail as possible, how you plan to use the product/service/etc.

Provide any deadlines that are dependent on this Vendor Risk Assessment (VRA).

Select the type of service, product, environment, or organization involved (please select all that apply):

Because you selected 'Other' in the previous question, please clearly describe the service type

Anonymized Data*

Will the data be anonymized (de-identified)?

500+ Records*

Is the number of records 500 or more?

Approximately how many users/customers will use this service/product?

Groups or organizations served by this product or service (select all that apply)

Because you selected 'Other' in the previous question, please provide the other groups or organizations served by this product or service

If you are aware of another campus or unit that has a contract for this product or service, please provide the campus or unit name, and contact for information.







Data Sensitivity

Sensitive data elements with a Statutory Requirement for Notification to affected parties in case of a confidential breach:


  • Government issued identification numbers - Social Security number (SSN), Driver's license number, California ID card number, Tax ID number, passport number, military ID number, other government-issued ID numbers.
  • Personal medical information, including protected health information (PHI) - For purposes of this section, "medical information" means any information regarding an individual's medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional.
  • Personal health insurance information - For purposes of this section, "health insurance information" means an individual's health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual, or any information in an individual's application and claims history, including any appeals records.
  • Genetic data as defined by California AB-825 (effective 1/1/2022) - For purposes of this section, "genetic data" means any data, regardless of its format, that results from the analysis of a biological sample of an individual, or from another source enabling equivalent information to be obtained, and concerns genetic material. Genetic material includes, but is not limited to, deoxyribonucleic acids (DNA), ribonucleic acids (RNA), genes, chromosomes, alleles, genomes, alterations or modifications to DNA or RNA, single nucleotide polymorphisms (SNPs), uninterpreted data that results from analysis of the biological sample or other source, and any information extrapolated, derived, or inferred therefrom.


Because you selected 'Other' in the previous question, please describe the data to be stored, processed, or shared with the vendor.







Impact Assessment

Recovery Time*

Using the Recovery Level Classification as defined by IS-12, select the Recovery Time Objective.

Impact of Unauthorized Access*

Please indicate the impact of unauthorized access to the product, service or disclosure of the data would be:


  • Minimal - Unauthorized access is limited to public information or information intended to be readily obtained by the public.
  • Low - Unauthorized use, access,disclosure, acquisition,modification or loss could result in minor damage or small financial loss, or cause minor impact on the privacy of an individual or group.
  • Medium - Unauthorized disclosure or modification could result in small to moderate fines or could require legal action.
  • High - Unauthorized disclosure or modification could result in significant fines, penalties, regulatory action, or civil or criminal violations. In addition, significant harm or impairment is done to UC students, patients, research subjects, employees, guests/program participants, UC reputation related to a breach or compromise, the over all operation of the Location or essential services.


Impact of Service Disruption*

Please select the impact that a service disruption or loss of availability related to the product or service would have:


  • Low - Loss of availability may cause minor losses or inefficiencies.
  • Medium - Loss of availability would result in moderate financial losses and/or reduced customer service.
  • Major - Loss of availability would result in major impairment to the overall operation of the university and/or essential services.


Privacy Notice|Report Abuse
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.