If you are purchasing a software product or a cloud service that creates, stores, processes or transmits UCSF data, a full security risk assessment may be required.  In addition, computing devices associated with the system including  desktop computers and laptops (those not purchased via BearBuy catalogs -- Apple, CDWG, Dell, SHI); servers, mobile devices, network hardware, and other related technologies may require a risk assessment.  To determine if a full assessment is required, you will need to consult with IT Security at [email protected] as part of the procurement process.

Contact IT Security at [email protected] to determine if a risk assessment is required. After the IT Security review, you will receive a Risk Assessment Intake Email Response that indicates if an assessment is required.

If no assessment is required, attach that email response to your BearBuy requisition. If a full risk assessment is required, you will need to complete the assessment before you submit your requisition. If an assessment is required, you will need to attach the Risk Assessment Completion Email to your requisition.

• Software & Cloud Computing Form

• For more information on the full risk assessment process, including how to request an assessment, what supporting documents are required, and what to expect during the process, visit the IT Security Risk Assessment page.
• UCSF IT Security Cloud Computing Guidance
• University of California Appendix – Data Security and Privacy
• Supply Chain Management Buying Software and Cloud Computing page

University of California IS-3 Electronic Information Security