Information Security Risk Assessment: Third Party
Please complete the Risk Assessment Questionnaire and Attachments and submit. Incomplete submissions may result in delays. Do not reference features and settings that will not be present and enabled at implementation. If you have any questions or need clarification, please contact us. This is not a pass or fail document, rather it is a discovery document that benefits the party being assessed and the WashU Community by identifying risks enabling mitigation and helps to protect data. Many questions can be answered by reviewing Appendix A at the end of this form.

General Information- Owner(s)/Sponsor

WashU Contact

Data Custodian / Data Owner

System Custodian / System Owner

Sponsor / Vendor

Service Information

Application Information

Data Protection Information

Where will WashU data be located?

Answer “Yes” or “No” and provide explanation as necessary for each of the following statements regarding encryption key management policy and procedures:

o If yes, please answer the following:
o If yes, please answer the following:
o If yes, please answer the following:
o If yes, please answer the following:

Backup/Disaster Recovery

Business Partner Information

Does your organization hold any of the following certifications? If yes, please provide verification information for each along with the Risk assessment as a supplement.

Maximum upload size: 51.2MB

Attachment A (Architecture Diagram)

Maximum upload size: 51.2MB

Appendix A

Office of Information Security Contact Information:

All Protected Health Information:

  • Must be encrypted


  • Questionnaire Owner- has the responsibility to complete the form for the asset to be assessed.
  • Data Owner- has administrative control and has been officially designated as accountable for a specific information asset dataset.
  • Business Owner/ Sponsor- has the overall ownership of the asset.
  • PHI- patient name, date of birth, date of service, MRN, invoice number, social security number, address, email address, facial photos or other identifying photos or numbers.

Helpful Links:

This form is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.