How-To: VRA Approval Process for Software/Subscriptions (new or renewal)

Owned by
Christopher Arnett
, created
Feb 20, 2024
2 min read

In order to contract with a third-party Vendor (service provider), all University of California units are required under the IS-3 Policy to complete Risk Assessments for institutional information and IT resources. At UC Davis, the Information Security Office (ISO) manages the Vendor Risk Assessment (VRA) program to guide and assist with this process, which can feel daunting, confusing, and frustrating. But what goes into a VRA and why is it so important?  

Risks & Security: A Rapid Evolution 

UC Davis processes continue to evolve to adhere to the IS-3 Policy requirements. As technology continues to change, new risks emerge, thus UC Davis’s approaches to security must evolve as well. While you may have made a recent technology purchase without a VRA, those same purchases or renewals may require one in the future. VRAs are a point-in-time assessment, revealing threats and vulnerabilities that could adversely affect end users, operations, your department, and the entire university. When everyone works together to understand the security risks and their potential impacts, we can enhance the security of individual programs, departments, and UC Davis.  

For more information regarding the VRA process visit:

https://iet.ucdavis.edu/news/demystifying-vendor-risk-assessment-process

 Instructions

Follow these steps to request a VRA for software at SHDS:

  1. Requestor submits “VRA/Purchase” request via a CSG Help Desk ticket by emailing SHDS-Helpdesk@ucdavis.edu and CC’ing the SHDS UISL Martin Couture mcouture@ucdavis.edu, be sure to include the following in the request:

--Vendor/Software:
a. Vendor Name
b. Vendor Contact Name (if applicable) and/or Email
c. Software Name (if different than a.)
d. Website/URL
e. Type/Package (essential, basic, pro, etc.)
f. Number of Licenses/Quantity
g. Status: New or Renewal (if renewal, include past request email chain or applicable info)

--Cost/Account:
a. Cost
b. Account/Sub

--User/Owner Info:
a. Owner Info:
-Unit/Sub-Unit
-Staff Contact
b. Login Info (if applicable)
c. From your perspective, what information will be stored via the software?

  1. Once received, Martin will review request and either:
    -Work with requestor to submit a VRA request
    -Complete/submit Software Form for the order via Procurify

  2. Purchasing Team will process request via Procurify

  3. Once request is approved, Purchasing Team will follow up with requestor(s)

Note: These instructions are also posted on SHDS HUB here:

https://shds.ucdavis.edu/computer-services-resources#Programs/Services/Software for Staff

Highlight important information in a panel like this one. To edit this panel's color or style, select one of the options in the menu.