UCI   Office of Information Technology

UCI Information Security
  1. Home
    2.  » 
  2. Information Security Services
    3.  » Supplier Security Reviews

Supplier Security Reviews

For proper Third Party Risk Management (TPRM), Units must ensure that vendor relationships are covered by appropriate security requirements and controls to help mitigate supply chain risk. Security requirements for supplier relationships are covered in UCI ISS section 15, which aligns with the same section in UC IS-3 policy. These must be in place to ensure the proper security protection capability and contractual agreements from the supplier are appropriate for the service provided. Units partner with the central information security, privacy, legal, risk, and procurement teams as part of the overall software and IT services procurement review process to ensure proper security and privacy practices are followed, and that the contract has the necessary legal and insurance coverage. This is part of, but does not fully replace, the overall risk assessment process.

Currently at UCI:

    • Inclusion of Appendix DS (or CISO-approved equivalent) into an agreement is required when a supplier has access to UCI institutional information or IT resources classified as P3 or P4, and it is recommended for P1 or P2.
    • CISO’s office must centrally review the supplier when any of the following:
      • Supplier has access to UCI institutional information or IT resources classified as P3 or P4.
      • Any agreement that impacts UCI institutional information or IT resources classified as P4 (including Critical IT Infrastructure) regardless of supplier access.
      • Unit is not trained and certified to accurately classify the protection level (P1/P2 vs P3/P4) and identify the use case (i.e. supplier access) of the supplier relationship.
    • Renewals also need to be reviewed when there are any changes to the classification, use case, supplier’s security posture, UC contract language, or minimally every two years.

 

To initiate the Supplier Security Review Process

Note: If your Unit is participating in the new pilot UISL review process for low risk requests, please see these instructions instead.

    1. Download and complete the Supplier Security Review Questionnaire
    2. Email PDF to securityreviews@uci.edu to request a supplier security review from OIT Security.
    3. Monitor email updates from ServiceNow as OIT Security will triage the request as low risk or high risk. If any answers are “unsure”, OIT Security will follow up with you to clarify.
    4. If determined as high risk and further review is required:
      1. Monitor email from OneTrust and complete the requested Supplier Review Intake Questionnaire which asks more detailed questions about the request.
      2. Communicate to your supplier that after OIT Security reviews the above intake questionnaire, they should expect one or more emails from OneTrust requesting them to submit security and/or privacy questionnaires as well.  Remind them to complete periodically.
      3. Inform your supplier that providing any additional security documentation, including any of the examples below, will improve the likelihood of a successful approval:
        1. HECVAT, SOC 2 report, ISO 27001/2 Certification, PCI Attestation of Compliance, 3rd Party Audit and/or Vulnerability Assessment, formal Information Security and/or Privacy Policy.
      4. Inform your supplier that UC Appendix DS will need to be included with the contract.
    5. Monitor email updates from ServiceNow for follow up actions and reminders, final Approval and/or Report will be provided there for you to continue your process with Procurement.

 

Additional Resources