1. How to prepare for a risk assessment
2. How to request an information risk assessment
3. For hardware vendors
4. For software, project and service vendors, internal projects and project sponsors

To prepare for an assessment, please have the following documentation ready:

• Complete the required documentation (see the next sections) depending on the type of vendor
• Vendor contact details – in case clarification is needed
• Vendor security documents:
  • Consensus Assessments Initiative Questionnaire (CAIQ), Standardized Information Gathering (SIG) questionnaires or other privacy/security white papers
  • ISO27001 certification and Statement of Applicability (SOA)
  • SOC 2, type 2 reports, SOC 3 or other equivalent reports
  • PCI DSS certification and Attestation of Certification (AOC) at minimum
  • Vulnerability scan and/or penetration test reports – showing routine testing and remediation of bugs and vulnerabilities
  • Higher Education Community Vendor Assessment Toolkit (HECVAT). If no other vendor documentation is provided, you will need to complete the HECVAT yourself.
• Contractual documents – documents that reference terms need to be reviewed. Contracts must clearly outline responsibilities. Contractual documents may include:
  • Purchase orders/invoices – if they refer to other terms beyond the contract/master service agreement (MSA)
  • MSA or other terms of service (global, local, service specific etc.)
  • Draft contracts
  • Data Protection Agreements (DPAs)
  • Privacy policies

Divisions can open a ticket to request a risk assessment.

Please refer to the step-by-step guide for instructions on filling out the request form, including the types of documentation that may be required.

Contact the purchaser or procurement team to complete the Hardware Vendor Questionnaire.

Complete the Privacy Risk Triage Form and submit any additional available documentation. An analyst from the Risk Management team will reach out if more information is needed.