Vendor Risk Assessments

The recently published UC IS-3 Policy requires Units to complete Risk Assessments for Institutional Information and IT Resources. The minimum requirement as it relates to contracting for 3rd party provided services calls for risk assessments of Cloud and Supplier services for Institutional Information classified at Protection Level 2 or higher. Assessing 3rd party service providers can seem daunting, but the UCD Information Security Office has a program in place to guide and assist with this process. If you are planning to acquire services in the "Cloud" that will collect, store, process and/or transmit P2 or higher data, contact for consultation well in advance of any contract or service deadlines.