By Matthew Linzer. The University of California spends billions of dollars every year on goods and services provided by suppliers (sometimes called vendors or third parties). These represent a vast and diverse group of small, medium, and large businesses; complex engagements; complicated agreements—and risk.
Across UC, at any given time, thousands of suppliers directly or indirectly are interacting with UC students, faculty, researchers, patients, staff, and retirees through those individuals’ use of UC provided cloud services, video conferencing software, high performance computing, networked medical instrumentation, professional technical services, and online payroll and pension systems.
Many times these interactions involve the authorized access to and storage of sensitive UC institutional information. (“Institutional Information” is a term in the UC Electronic Information Security Policy, IS-3 to broadly describe all data and information created, received, and/or collected by UC.). Thus, the manner in which a supplier interacts with UC institutional information often creates additional risk to UC.
This article provides best practices to follow when you or anyone in the UC community wish to purchase goods and services from a supplier. These practices will help you reduce supplier-related cybersecurity risk
- prior to selection of a supplier,
- during the supplier’s term of engagement, and
- at the time of contract renewal.
The minute you think you need to buy something that will involve storing, processing, or transmitting institutional information, please contact your procurement office and information security office. You are not in this alone—they are your strategic partners—. If you consult early and often with them throughout the procurement process, and with respect to any of the issues touched upon below, they will help you avoid pitfalls that put UC at risk.
It is key for you to know that UC suppliers interacting with UC institutional information must meet requirements as outlined in IS-3, specifically section section 15, Supplier Relationships. A good overview about these requirements is available and worth reviewing: Cybersecurity – What UC Expects from Suppliers.
Also, a number of formal documents exist to support policy compliance and mitigate contractual, cyber, statutory, and regulatory risks related to suppliers. These include the UC Terms and Conditions, UC Appendix Data Security, and UC Business Associate Agreement.
1. Bringing New Suppliers Onboard
UC Appendix Data Security. For new engagements through which a supplier will have access to UC institutional information and/or UC IT resources, the UC Appendix Data Security needs to be incorporated into most agreements. The first step is for you, the requestor, to complete the UC Appendix Data Security Exhibit 1. As the requestor, you have the best understanding of the expected use-case scenarios, and what (if any) UC institutional information is involved. If you have questions, consult your procurement or information security office. It also is recommended that you send the UC Appendix Data Security to your proposed supplier as early as possible for their review and awareness.
Exceptions to the UC Appendix Data Security. In some cases, there may be an approved equivalent to the UC Appendix Data Security or a documented, pre-approved exception process. For example, a UC location might have decided that agreements involving institutional information that, per policy, requires only the lowest protection level do not require the UC Appendix Data Security. If you think this is the case or that an exception may be warranted, please consult with your procurement or information security office.
Supplier (Vendor) Risk Assessment. According to IS-3 (see Section 15, Supplier Relationships), UC units using suppliers must conduct a risk assessment. Contact your information security office or unit information security lead for more information.
Security Due-Diligence Package. The supplier should provide evidence of information security compliance, which is known as a “security due-diligence package.” Preferably the package entails:
- Independent third-party audit reports, rather than reports by the supplier itself, since the supplier would have an inherent conflict of interest, and
- An information security plan provided by the supplier, as required per the UC Appendix Data Security’s Exhibit 2, that outlines the supplier’s own information security practices.
You may run into a variety of challenges: Suppliers may strike provisions within the UC Appendix Data Security, reject the UC Appendix Data Security, not have any information security compliance reports available, and/or not have a supplier information security plan. In these cases, it is best to seek alternative suppliers that offer similar services and products and who are willing to agree to the UC terms and provide requested documents. If there is no alternative because the supplier provides unique services and/or products, please consult with your procurement office for recommendations.
Applicability of Agreement Artifacts. The UC Appendix Data Security, along with the supplier’s information security compliance evidence, including their information security plan, should apply to all of the products and services covered by the proposed agreement.
No-Cost Agreements. Suppliers may offer some services for free, such as trial, demonstration, free, and open source software, as well as pilots. Nevertheless, use of these services must adhere to IS-3. Consult with your information security office about how “no-cost” agreements should be handled.
Additional Guidance. You should fully understand the components of the product or service sought, and the technical capabilities of any hardware and software you intend to purchase. For example, server, workstation, and laptop software may contain cloud components; receive automatic updates from the supplier; and have data sync features, syncing data across multiple systems/environments. These capabilities create additional risk for UC’s institutional information, so you need to know what you are purchasing. As always, consult with your procurement office, which may in turn direct you to other experts, such as the IT department.
Also, as a requestor, you should carefully review any terms a supplier may insert into an agreement; this language may limit UC’s recourse should supplier negligence occur. Keep an eye out for language about limitation of liability, indemnification, and warranty. Be sure to discuss with your procurement office how limitation of liability, indemnification, and warranty might negatively affect UC.
2. Taking Care with Existing UC Suppliers
If you already have an agreement with a supplier, IS-3 still requires that you do ongoing agreement monitoring. Breaches, information security incidents, and other security lapses must be reported immediately to both your procurement office and information security office. Additionally, the supplier’s latest information security compliance evidence should be evaluated, if available, during the engagement period and certainly prior to renewal.
The following examples demonstrate the need to monitor UC supplier relationships.
Scope Change (Amendments). If UC’s use of the supplier’s product/services changes, you will need to review IS-3 again, with support from your information security office, to ensure requirements will continue to be met. For instance, the UC institutionaliInformation covered by the agreement’s initial scope may have originally been classified at protection level 2 (defined in IS-3), but now it will include health records, which require a much greater level of protection (protection level 4).
Breaches and Security Incidents. Specific UC supplier reporting requirements are described in the UC Appendix Data Security, if the appendix was attached to the agreement. However, the supplier may notify UC through alternate means, such as notifying you as the requestor directly or indirectly via public messaging. Thus, it is critical to notify your information security and procurement offices any time you are made aware of a breach or security incident involving your supplier. Depending on its severity, your location may need to take immediate action.
Agreement Not Found or Dated. If you are aware of UC supplier relationships for which no formal agreement can be located, or if the agreement language is outdated or simply not dated, please immediately inform your procurement and information security offices. Such situations can put UC in a difficult position should something go wrong. While correcting these issues may take time, it is worth the effort to prevent adverse situations.
3. Renewing Supplier Contracts
Yes, you guessed it! Renewal requests must adhere to the IS-3 policy as well. As the renewal requester, you must identify any changes in scope and inform your procurement office. Also, please be aware that federal and California laws and regulations, as well as UC policies, may have changed since the initial purchase, and such changes may need to be reflected in the renewal agreement. For this reason, agreement renewals may require risk assessments, and these should assess both the supplier and any UC user responsibilities related to the supplier’s products and services. The depth and breadth of the risk assessments will be decided by your information security office.
As you can now appreciate, a lot goes into managing UC supplier risk, and UC needs your help and vigilance! This article does not provide an exhaustive list of all the potential issues, but hopefully it offers highlights that help you think about the many aspects of supplier risk and, importantly, encourage you to engage the expert help of your procurement and information security offices.
Matthew Linzer is information security manager, UC Office of the President.