Planning to use a new system? You must complete a computing risk assessment before you purchase or set it up.
Computing risk assessments (CRA) enable the University to understand the risk associated with the introduction of software into the University. Our computing risk assessment supports the introduction and use of secure and compliant computing services, inline with the University's IT Outsourcing and Cloud Computing Policy. The process helps us to ensure system providers have adequate technical controls to secure University data.
Risk assessments should be undertaken early to ensure that systems can be used safely at the University. Without a signed off risk assessment procurement will not approve the purchase.
This guidance applies specifically to the procurement of new IT systems and services, or older services which have not previously been through this process.
To assess the security of systems and software you are developing, request an IT system security review.
What you need to do
- Complete the onboarding form below:
Tell us about the system you’re planning to use by completing the pre-assessment form. - Receive and manage the template:
Upon submission of the form a CRA template will be generated and shared with you via Google, you will also receive a confirmation email with instructions on what you need to do, if you do not get this email then please contact us. - Share the template with the system provider for completion:
You are responsible for sharing the risk assessment template with the system provider (third party) and actively driving them to complete it. - Submit for Review:
Once the vendor has completed the Vendor Questions tab and you have completed the cover page, please email cyber-cra-group@york.ac.uk and state that your CRA is ready for review, providing a link to the CRA. We will then conduct an initial review as soon as possible. - Resolving queries:
IT Services will review the assessment and may raise queries or request clarifications. You are responsible for liaising with the provider to ensure these are addressed promptly. - Final sign-off and contract:
Final sign-off will be performed by the Cyber Risk & Compliance Manager or Head of Cyber Security. Your risk assessment must be signed off before purchase. Failure to do so will prevent contract execution.
We are available to support you in this process, but the onus is on you to ensure the risk assessment is completed to the required standard and within the necessary timeframe. If you need help, please contact IT Services.
Further things to consider
Cyber Security is just one important element. You also need to consider any other essential steps, including:
- Data Protection Impact Assessment (DPIA):
If personal data is being processed you will need to submit the DPIA screening tool to establish whether an assessment is required. - Technical Design Authority (TDA):
Some systems may require review or advice from the technical design authority. You should check whether your proposal needs to be reviewed by the Technical Design Authority in good time. More information is available on the TDA webpages. - Contract review:
Please ensure contract terms and conditions are reviewed carefully before they are accepted. Further support can be provided by: - Accessibility requirements:
The University is legally required to meet accessibility standards for all digital products and services. The University's guidance explains what you need to do if you're involved in a procurement process, and who can help. Procuring accessible systems.
Start the assessment
Complete our computing risk assessment questionnaire to get started.