Skip Navigation

Vendor & Contract Review

When selecting a vendor who will work with Stony Brook University data, the following form must be completed by the Stony Brook employee, and a completed HECVAT questionnaire is required to be completed by the vendor if they are providing or using cloud services to deliver the sought after solution. The answers provided along with the feedback given by our vendor review group will help the business unit to select a vendor that aligns with SBU’s risk tolerance.

Once fully completed, a service request should be open via (Security -> Security Policy and Compliance -> Request a vendor review) and this form, the completed HECVAT and associated documentation should be attached to the ticket. It will then be reviewed by a team of subject matter experts, including Stony Brook's Chief Information Security Officer. Someone may contact the Contractor to discuss questions, concerns and issues related to this questionnaire, and to make mutually agreed upon changes to Contractor's information security or this questionnaire.

Vendor Security Questionnaire (PDF | DOC)