Cybersecurity - What UC Expects from Suppliers

Suppliers play an important role in protecting the University of California’s (UC) Institutional Information and IT Resources. The information on this page should help Suppliers understand what is needed to be a part of UC’s formula to manage cyber risk.

Suppliers to UC must meet a wide range of requirements. These span across topics, including meeting specifications and policy requirements; complying with laws, regulations, and initiatives (e.g., technology accessibility, carbon neutral, sustainable practices, recycling, etc.); and managing industrial safety risk, cyber risk, and others.

UC spends more than $10 billion a year with suppliers, who play a vital role in UC’s success. As technology becomes more prevalent throughout UC’s supply chain, cybersecurity and cyber risk management are of paramount importance. UC’s supply chain must rise to this challenge, which is shared across the health care and higher education sectors globally.

In today’s economy and legal-regulatory environment, cybersecurity must be a priority for suppliers and their supply chain (sub-suppliers) who strive to serve UC and other institutions of higher education.

Specific Requirements for Cybersecurity

UC expects suppliers to have 5 basic cybersecurity elements in place. Suppliers must have:

Security Plan: A written, reviewable, and implemented cybersecurity and cyber risk management plan that is clear about how UC’s (or any customer) data and resources are protected. They must keep this plan up-to-date and operating effectively. Suppliers should also be keenly aware of and manage risks that stem from their suppliers, too.
Evidence the plan is working: A method to demonstrate that the plan is implemented and working effectively.
- Examples include:
  - Completed and reviewed HECVAT (used by over 100 universities);
  - SOC Type 2 Report using an appropriate set of controls;
  - ISO 27001 certification using an appropriate set of controls;
  - PCI Report on Compliance;
  - A Health Information Trust Alliance (HITRUST) Common Security Framework Certification;
  - A Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization;
  - FedRAMP Certification;
  - 3^rd party audit demonstrating effective cyber risk management; or
  - Some combination of the above.

Incident Response Plan: A plan for notifying UC within 72 hours of the identification of an incident and then keeping UC informed as the incident is investigated. If an extensive investigation is required, suppliers must commit to helping UC during the investigation and response phases.
Customer Notification Plan: A plan for notifying UC within 72 hours when major changes occur or vulnerabilities are identified.
Best Practices: A commitment to avoid some of the most common supply chain mistakes. All of these should be in the Supplier security plan. There are 8 best practices and 6 elements that must be present in any security plan (see “A Few Supplier Best Practices” below). By themselves, these are not a security plan, but a list of some important items that must be present in the security plan and are required by UC’s electronic information security policy, IS-3.

The Appendix-Data Security (Appendix-DS) contains UC’s cybersecurity requirements and must be included in all agreements where the supplier has access to UC Institutional Information and/or IT Resources. This Appendix was written to align with the 5 goals stated above.

Suppliers should consider UC requirements reasonable and accept that UC, along with other customers, expect Suppliers to have a plan to manage cyber risk.

In addition, UC’s terms and conditions require appropriate cyber insurance ranging from $1 to 10+ million based on the data, as well as other insurance requirements.

Shared Responsibility Models

If the solution to managing cyber risk involves shared responsibility, then UC expects the Supplier to be able to clearly and unambiguously state what the Suppler manages, what UC is expected to manage, and, in the case of joint management, how that process operates.

Basic Security Plan Elements

Supplier’s Information Security Plan must:

Ensure the security (including but not limited to: confidentiality, integrity, and availability) of Institutional Information and IT Resources through the use and maintenance of appropriate administrative, technical, and physical controls;
Protect against any reasonably anticipated threats or hazards to Institutional Information and IT Resources (e.g., ransomware, loss or theft of equipment, nation state actors, insider risks, intellectual property theft, data theft, errors, etc.);
Related to 1 and 2, address the risks associated with Supplier storing, processing, transmitting, or having access to Institutional Information and IT Resources;
Comply with applicable regulations and/or external obligations for data protection, security, and privacy;
Clearly document the cybersecurity responsibilities of each party;
Follow UC records retention requirements outlined in the Statement of Work (SOW) or in UC’s Terms and Conditions.

A Few Supplier Best Practices

The Supplier must make sure their security plans limit its access to, use of, and disclosure of Institutional Information and IT Resources to the least invasive degree necessary to provide the Goods and/or Services by doing the following:

Prevent the sharing of passwords or authentication secrets that provide access to Institutional Information and/or IT Resources;
Prevent the use of passphrases (passwords) or other authentication secrets that are common across customers or multiple unrelated UC sites or units;
Prevent unauthorized access to Institutional Information and IT Resources;
Prevent unauthorized changes to IT Resources;
Prevent the reduction, removal, or turning off of any security control without express written approval from UC;
Prevent the creation of new Supplier accounts to access Institutional Information and IT Resources without express written approval from UC;
Prevent the storing, harvesting, or passing through of UC credentials (username, password, authentication secret, or other factor); and
Prevent the use or copying of Institutional Information for any purpose not authorized under the Agreement or any associated Statement of Work (SOW).

For more information, contact the Location information security office, procurement office or designated contact.

How UC Classifies Data

UC uses a 4-tier approach to classify data. We call these tiers “Protection Levels.” Protection Level 1 is the lowest tier and Protection Level 4 is the highest tier.

Every Protection Level requires technical and administrative controls to satisfactorily manage cyber risks to confidentiality, availability, and integrity. At each level, more must be done to adequately protect UC’s Institutional Information.

It is important that both the UC Unit and the Supplier have a clear understanding of the data and use cases that the agreement covers. This is one of the purposes of Appendix DS Exhibit 1.

Here is a simple summary of each protection level (detailed descriptions are available on this page: Classification Standard and Guides):

Protection Level 1 (P1): Institutional Information or information intended to be readily obtainable by the public. Data at this level must maintain its integrity. Unauthorized modification is the primary protection concern and availability is the secondary concern. It is sufficient to apply minimum security requirements for IT Resources at this level. For P1 data, Suppliers must demonstrate good cyber hygiene across all basic controls.
Protection Level 2 (P2): Institutional Information and related IT Resources that may not be specifically protected by statute, regulations, or other contractual obligations or mandates. P2 data is generally not intended for public use or access. Additionally, P2 includes information whose unauthorized use, access, disclosure, acquisition, modification, or loss could result in damage or small financial loss, or cause minor impact on the privacy of an individual or group. At this level, Suppliers must demonstrate good cyber strategies to defend against and recover from common threats.
Protection Level 3 (P3): Institutional Information and related IT Resources whose unauthorized disclosure or modification could result in small to moderate fines, penalties, or civil actions. P3 includes Institutional Information whose unauthorized use, access, disclosure, acquisition, modification, loss, or deletion could result in moderate damage to UC, its students, patients, research subjects, employees, community, and/or reputation; could have a moderate impact on the privacy of a group; could result in moderate financial loss; or could require legal action. This classification level also includes lower risk items that, when combined, represent increased risk. At this level, Suppliers must demonstrate comprehensive cyber strategies to defend against and recover from common threats and meet external standards. Cyber insurance requirements increase significantly at this Protection Level.
Protection Level 4 (P4): Institutional Information and related IT Resources whose unauthorized disclosure or modification could result in significant fines, penalties, regulatory action, or civil or criminal violations. Statutory, regulatory, and contract obligations are major drivers for this risk level. A Supplier handling P4 data might work with sensitive data types, (e.g., personally identifiable information (PII), medical information or PHI, identifiable human subject data, export controlled data, credit cards, or items like medical devices and life safety systems). At this level, Suppliers must demonstrate robust cyber strategies to defend against and recover from all anticipated threats and meet external standards. Cyber insurance requirements increase significantly at this Protection Level.

UC also has 4 Availability Levels. A1 – the lowest to A4- the highest. These are typically tied to the Service Level Agreement, but will also be reflected in the Supplier’s security plan.

Other Supplier Resources:

https://www.ucop.edu/procurement-services/for-suppliers/index.html