Skip to main content Skip to local navigation
Information Security
Home » Contractual Vendor Risk Assessment Guideline

Contractual Vendor Risk Assessment Guideline

The Contractual Vendor Risk Assessment (CVRA) is a critical process that identifies and manages risks related to third-party vendors. This process helps protect the university by reviewing the vendor’s security, privacy, and legal practices before making any agreements. It ensures vendors meet York’s data security standards and helps identify potential risks so your department can make informed decisions and keep our data safe.

If a product will access, store, process, or transmit York data, you’ll need to follow the CVRA request process before moving forward.

  1. Ask your vendor to provide their standard contract, which must include terms about: 
    • Data Location and Destruction
    • Security Breach Procedures
    • Cybersecurity Standards
  2. Ask the vendor to complete the Higher Education Community Vendor Assessment Tool (HECVAT) and supporting documentation.

    Share the following instructions with your vendor in the request

    Instructions for Vendors completing the HECVAT
    • The submitted HECVAT must be version 3.04 or higher.
    • Ensure that the Additional Information entry adequately addresses the Guidance provided for each question.
    • The following tabs must be completed:
      • Organization
      • Product
      • Infrastructure
      • IT Accessibility
      • Case-Specific
      • AI
      • Privacy
      • Analyst Reference
    • The HECVAT may request additional documentation; please ensure all required items are included when you submit your completed HECVAT and the Shibboleth Readiness Profile.

You (the requestor) must complete the Cyber Threat and Risk Assessment (CTRA) intake form.

Email the completed documents to Procurement and Information Security group along with a description of how you plan to use the software.

DocumentCompleted BySend To
HECVAT (version 3.04+)Vendorpurchase@yorku.ca, ctra@yorku.ca
Vendor's Standard ContractVendorctra@yorku.ca
CTRA Intake FormRequestorctra@yorku.ca
Description of Software UseRequestorpurchase@yorku.ca, ctra@yorku.ca

Under the new process, assessments will be completed within 3 weeks assuming that the information provided in the CTRA intake form and HECVAT are accurate.



View Completed Security Assessments:

Click on the link to access the list of completed security assessments.