IT Vendor Questionnaire

Why would I request this service?

A Vendor Risk Assessment Questionnaire (VAQ) is mandatory for all vendors offering IT services that involve access to sensitive or confidential information. The College's Purchasing department must request prospective vendors complete the attached questionnaire or submit a pre-approved Cyber VRM Service assessment report, during the onboarding process.

Vendors are required to complete the VAQ Form within thirty (30) days of request. 
Existing vendors without a VAQ on file must provide one within (30) days of request.

Who can request this service?

Vendors offering IT services that involve access to sensitive or confidential information.

Additional details about the Service.

The vendor shall be requested to refresh the VAQ with a frequency based upon the previous VAQ score: 2 years for vendors that "meets expectations" and annually for all others. This schedule applies for as long as the vendor provides IT services that require access to sensitive or confidential information to the College.

What happens after I submit the request?

The completed VAQ will be reviewed by CIT. A status will be assigned to the completed VAQ, indicating whether the vendor has implemented adequate security controls to protect the College’s data. The status will be determined based on the questionnaire, the examination of documents submitted by the vendor, additional responses received from the vendor, and the results of the on-site assessment, if conducted. If more information is required, CIT will follow-up with you.

The completed VAQ will be retained by the Purchasing department with the College’s records for that vendor.