Under IS-3 all software must go through a VRA (vendor risk assessment); this is like a background check but for software. Also every use case for a piece of software must be reviewed for security.
Requesting Software
- Optional Preliminary steps
- Create a list of software that will meet your needs
- Email you list to FoodChainIT@ucdavis.edu and ask for the list to be ranked based on VRA
- This ranking is not a security review or VRA
- Use the ranking to guide your final decision
- Requesting a VRA/security review
- Get a quote and start a new order in PrePurchasing
- When communicating with the vendor let them know that IT will be contacting them in regards to a security review
- Completing a HECVAT is very helpful: https://library.educause.edu/resources/2020/4/higher-education-community-vendor-assessment-toolkit
- For free software an installation request ticket created via FoodChainIT@ucdavis.edu should be created instead
- Complete the CAES Software Protection Level Assessment and forward the results to FoodChainIT@ucdavis.edu
- We may ask additional question for clarification
- Allow 3 days to 4 weeks for the review to be completed
- This varies wildly depending mostly on work load and vendor cooperation
- When the review is completed we will attach the required form to your PrePurchasing order or installation request
- Get a quote and start a new order in PrePurchasing
Exceptions
- Software not supported by vendor or not receiving security updates
Supported Software
| Required | Standard | Available |
|---|---|---|
|
|
|