Vendor Risk Assessments

What is a Vendor Risk Assessment?

A Vendor Risk Assessment (VRA) is a security review of outside companies, referred to as vendors or suppliers, that provide services or products to the university, access UC systems, and/or handle Protection Level P3 or P4 data. A VRA is a collaborative process used to identify security-related issues, determine the level of risk associated with those issues, and make informed decisions about risk mitigation or acceptance. 

When Should I Request a Vendor Risk Assessment?

A VRA should be completed for all new supplier requisitions or contract renegotiations. They can also be performed for existing services if business or technical partners determine one is needed – typically in response to security concerns or new security-related requirements.

How Do I Begin the Vendor Risk Assessment Process?

The following steps are required to requisition suppliers that will work with data at all protection levels (P1-P4):

  • Submit the CruzBuy Services Form and answer the Data Security questions. Before doing so, discuss the following issues with your Unit Head:
    • Whether the supplier will have access to UC institutional information or IT resources.
    • Which Data Classification Levels will be involved.
    • The estimated total number of records to which the supplier will have access.
  • Submit Exhibit 1 of the Appendix DS Form and attach it to the CruzBuy requisition.
  • If you would like to request an assessment before submitting a requisition in CruzBuy, please complete the Vendor Risk Assessment request.  

If the data that will be handled by the vendor is classified P1-P2:

  • The vendor is considered low risk by default and a security assessment is not needed.

If the data that will be handled by the vendor is classified P3-P4:

  • The vendor must comply with Appendix DS and provide their data security plan.*
  • The vendor must cooperate with UC Santa Cruz’s Vendor Risk Assessment process to demonstrate compliance with security policy. 
    • The security team will send the Vendor Contact a link to the security questionnaire (HECVAT Lite) automatically from the risk management platform. 

*UC system-wide policy requires that suppliers (aka “vendors”) comply with the Appendix Data Security (DS) by addressing campus policy and regulatory requirements (e.g., FERPA, GDPR, HIPAA) in a detailed security plan.  

What Happens Next?

After the above steps have been taken:

  • UC Santa Cruz Procurement will process the supplier requisition and open a SlugHub request for a VRA.
  • The ITS Information Security Team will review the vendor's security plan for compliance with Appendix DS requirements and relevant laws or regulations, identify any gaps, and provide a recommendation to the Business Contracts office (or team). 
  • Information Security will perform the VRA. If the supplier has not completed the HECVAT Lite, it will automatically be deemed high risk.


This service is funded by Information Technology Services. There is no direct charge to the department requesting the service.

Get Help

Review the CruzBuy Services Form - Guidance on Data Security if you need assistance.

If you have questions about the VRA process, contact the Information Security policy team by email at