Data Security Compliance and CruzBuy

To: UCSC Faculty and Staff

From: Associate Vice Chancellor and Campus Controller, Biju Kamaleswaran, and ITS interim Chief Information Security Officer, Brian Hall

We write to update you on new Data Security and Privacy requirements when requesting services from Suppliers who will have access to UCSC data or systems. Suppliers must comply with UC security and privacy policies and standards. 

Per UC BFB IS-3 policy, Section 15, “Units must ensure that agreements with Suppliers contain security requirements that are consistent with this policy and supporting standards for the protection of and access to Institutional Information and IT Resources.”

The UCSC Procurement Office is modifying the CruzBuy Services Form to include specific Data Security questions. Proactive consultation with ITS will help the Unit complete the Data Security questions and support discussions with the Supplier and Unit Information Security Lead (UISL).


  1. Units must complete and attach Exhibit 1 - Institutional Information, pages 10-11 of UC Appendix DS, to the CruzBuy Requisition.

  2. Procurement will send the appropriate UC documents and Exhibit 1 to the Supplier.

  3. Supplier must send to Procurement their response to UC documents, and attach their Initial Information Security Plan - Exhibit 2, page 12 of UC Appendix DS.

  4. Procurement will send Supplier’s response and Exhibit 2 to designated Campus Reviewer for approval.

For questions on IS-3 policy and standards, contact

For CruzBuy and Supplier specific questions, contact