Accessibility statement

Computing Risk Assessment (CRA)

The Computing Risk Assessment (CRA) is designed to support the introduction and use of secure and compliant computing services at the University of York (see IT Outsourcing and Cloud Computing Policy). The CRA process enables the University to understand the risk posed by a processing activity and to assess and ensure that providers have adequate technical and procedural controls in place to secure University data. 

  • To start the process, please submit our initial questionnaire, which helps us to understand the processing activity and the risk it may pose.
  • Once submitted, a Computing Risk Assessment template will be issued to you via email and a folder structure will be created within Google Drive for you to store it, along with any associated documents. The risk assessment should then be shared with the software vendor for completion.
  • Once completed and returned, please @tag (Cyber Risk and Compliance Manager) into the document for initial review. Queries and clarifications will then be raised for further comment by the vendor.
  • Sign off will be performed by the Assistant Director of IT (Infrastructure) or the Head of IT Security. Your risk assessment must be signed off prior to entering into a contract with a vendor.

Start the CRA process by submitting the initial questionnaire.

Please note

Where personal data is being processed there may be a need for a Data Protection Impact Assessment (DPIA), you can use the online DPIA screening tool to decide whether a DPIA is needed.

Contract review is another important step in safeguarding the University and University data. Please ensure contracts are reviewed by Procurement, the Data Protection Team and Sarah Butcher (Software Asset Manager) in advance of signing to ensure that they provide the University with adequate legal protections and appropriate licensing terms.