Computing risk assessment
Planning to use a new system? You must complete a computing risk assessment before you purchase or set it up.
Computing risk assessments enable the University to understand risks. They help us ensure system providers have adequate technical controls to secure University data. Involve us early to ensure the system can be used safely at the University. Without a risk assessment, the system won’t be allowed on the network.
Our computing risk assessment (CRA) supports the introduction and use of secure and compliant computing services, inline with the University's IT Outsourcing and Cloud Computing Policy.
This guidance applies specifically to the procurement of new IT systems and services. To assess the security of systems and software that you already use or are developing, request an IT system security review.
What you need to do
- Complete the questionnaire:
Tell us about the system you’re planning to use by completing the computing risk assessment questionnaire. - Receive and manage the template:
Upon submission of the questionnaire, you will receive a Computing Risk Assessment Google Doc template via email. The template will be stored in a new folder in Google Drive, which we can also access. Use the folder to store any associated documents. - Share the template with the system provider:
You are responsible for sharing the risk assessment template with the system provider (third party) and actively driving them to complete it. - Submit for Review:
Once the provider has completed their section, tag Calum Stevens (Cyber Risk and Compliance Manager) in the document using the @ mention feature. This will notify him that the document is ready for review. Ensure the document is shared with him if it isn't already. - Address queries:
Colleagues in IT Services will review the assessment and may raise queries or request clarifications. You are responsible for liaising with the provider to ensure these are addressed promptly. - Final sign-off and contract:
Final sign-off will be performed by the Assistant Director of IT (Infrastructure) or the Head of Cyber Security. Your risk assessment must be signed off before you can enter into any contract. Failure to do so will prevent contract execution.
We are available to support you in this process but the onus is on you to ensure the risk assessment is completed to the required standard and within the necessary timeframe. If you need help, please contact IT Services.
Other things to consider
Cybersecurity is just one important element. You also need to consider any other essential steps, including:
- Data Protection Impact Assessment:
If personal data is being processed, you might need a Data Protection Impact Assessment (DPIA). To help you decide if one is needed, please use the DPIA screening tool. - Contract review:
Please ensure all contract terms and conditions are reviewed carefully before they are accepted. Further support can be provided by:
Start the assessment
Complete our computing risk assessment questionnaire to get started.
Related links
Security reviews for existing systems: once your system is up and running, we recommend scheduling a security review. Regular reviews help to ensure systems are protected against new vulnerabilities and remain resilient.
Related links
Security reviews for existing systems: once your system is up and running, we recommend scheduling a security review. Regular reviews help to ensure systems are protected against new vulnerabilities and remain resilient.