If you are purchasing a software product or a cloud service that creates, stores, processes or transmits UCSF data, a full security risk assessment may be required.  In addition, computing devices associated with the system including  desktop computers and laptops (those not purchased via BearBuy catalogs -- Apple, CDWG, Dell, SHI); servers, mobile devices, network hardware, and other related technologies may require a risk assessment.  To determine if a full assessment is required, you will need to consult with IT Security at [email protected] as part of the procurement process.

Contact IT Security at [email protected] to determine if a risk assessment is required. After the IT Security review, you will receive a Risk Assessment Intake Email Response that indicates if an assessment is required.

If no assessment is required, attach that email response to your BearBuy requisition. If a full risk assessment is required, you will need to complete the assessment before you submit your requisition. If an assessment is required, you will need to attach the Risk Assessment Completion Email to your requisition.

• For more information on the full security risk assessment process, including how to request an assessment, what supporting documents are required, and what to expect during the process, please visit the Risk Sonar Security Risk Assessment page. Once you have a data flow diagram (and signed BAA, if required) and are ready to begin the assessment, please open a request here.
• Risk Sonar Security Risk Assessment
• UCSF IT Security Cloud Computing Guidance
• University of California Appendix – Data Security and Privacy
• Supply Chain Management Software and Cloud Computing page

University of California IS-3 Electronic Information Security