1. How to prepare for a risk assessment
2. How to request an information risk assessment
3. For software/project/service vendors
4. For hardware vendors
5. For project sponsors

To prepare for an assessment, please have the following documentation ready:

• Fill out the respective documentation (as mentioned in the next sections) depending on the type of vendor
• Vendor contact details – in case they need to be contacted for clarification
• Vendor security documents:
  • Higher Education Community Vendor Assessment Toolkit (HECVAT), Consensus Assessments Initiative Questionnaire (CAIQ), Standardized Information Gathering (SIG) questionnaires or any other privacy/security whitepapers
  • ISO27001 certification and Statement of Applicability (SOA)
  • SOC 2, type 2 reports, SOC 3 or other equivalent reports as available
  • PCI DSS Certification and Attestation of Certification (AOC), at minimum
  • Vulnerability scan and/or penetration test reports – shows that the vendor is doing routine testing, and fixing bugs and vulnerabilities in their platform
• Contractual documents – any document which references any terms needs to be reviewed. Contracts need to clearly include the responsibilities. Contractual documents may include:
  • Purchase orders/invoices – if they refer to other terms apart from the contract/MSA
  • MSA or any other terms of service (global, local, service specific, etc.)
  • Draft contracts
  • Data Protection Agreements (DPAs)
  • Privacy policies

Divisions can open a ticket to request a risk assessment.

Please refer to the step-by-step guide for detailed instructions on how to complete and raise the ticket.

Complete the U of T Information Risk Management Questionnaire. This questionnaire details what sections vendors need to complete in addition to a Higher Education Community Vendor Assessment Toolkit (HECVAT).

Please reach out to the purchaser/procurement team to complete the Hardware Vendor Questionnaire.

Complete the U of T Internal Data Protection Questionnaire.

This intake form is for information risk assessments of projects or applications, managed internally or with a vendor. The information submitted will allow us to understand the purpose of your project and what is at risk. Skip any questions you think do not apply or don’t have answers to.

Questions in the form helps us establish the following:

• Purpose and scope of the project
• Privacy controls in place for the data being collected or used
• Nature of the agreement with the vendor (if applicable)