Security Risk Assessment Process
As part of the evaluation and procurement process for new services and applications, a review of the security, privacy, and risk is required to ensure the security of University data and systems.
Process Overview
Detailed Process Steps
Step 1 - Review the list of previously reviewed and approved applications and services. If an application or service on the list will meet your needs, contact Information Security (infosec@uoguelph.ca) to ensure that your usage will align with the previous approval, as the use of solutions on this list are approved on a per-project basis.
Step 2 - Understand the data classification of the information being stored, processed, or utilized within the application or service. Refer to the Data Classification Policy for more information on data classifications.
- Not sure what data classification applies? Use our Data Classification Assessment Tool to get the answer.
Step 3 - If the request is for a Microsoft365 add-on or Learning Tool Integration, contact Information Security (infosec@uoguelph.ca) directly.
Step 4 - If this is for a new application or service not included on the approved application list, submit the CCS Project Management Office (PMO) Intake form.
Step 5 - Once the PMO has reviewed the project intake form you will be asked to provide the following documentation:
- The Information Security and Risk intake document. This should be completed by the project requestor.
- The Security Risk Questionnaire or a Higher Education Community Vendor Assessment Tool (HECVAT Lite or HECVAT Full are acceptable). Either document is acceptable and should be completed by the vendor.
Step 6 - Once received from the PMO, the Information Security team will create a Footprints ticket for tracking and will review the provided information. You will be contacted regarding approval or with additional questions as required.
Service Level Agreement (SLA)
The overall risk assessment process may take up to 4 weeks from the date of the initial request, so please plan accordingly. The time required to complete the assessment will vary based on several factors, including:
- If all required information has been shared
- Completeness and accuracy of the information shared
- Availability and timeliness of stakeholder responses to questions
- Information Security resource availability
Information Security will strive to complete risk assessment requests as quickly as possible, however the process may be delayed due to the number of assessments in the queue, holidays, and scheduled vacations.
CCS Information Security
Last Updated: October 4, 2024