Security and Risk Assessment Process
As part of the evaluation and procurement process for new services and applications, a review of the security, privacy, and risk is required to ensure the security of University data and systems.
Step 1 - Review the list of previously reviewed and approved applications and services. If an application or service on the list will meet your needs, contact Information Security (firstname.lastname@example.org) to ensure that your usage will align with the previous approval, as the use of solutions on this list are approved on a per-project basis.
Step 2 - Understand the data classification of the information being stored, processed, or utilized within the application or service. Refer to the Data Storage Guidelines for more information on data classifications.
- Not sure what data classification applies? Use our Data Classification Assessment Tool to get the answer.
Step 3 - If this is a new application or service not in the approved list, submit the following documentation to Information Security (email@example.com):
- The Information Security and Risk intake document to be completed by the requestor.
- The Security Risk Questionnaire or a Higher Education Community Vendor Assessment Tool (HECVAT Lite or HECVAT Full are acceptable) to be completed by the vendor. Either document is acceptable, however the vendor may prefer to use the HECVAT since it could be used in reviews at other institutions.
Step 3 - Once received, the Information Security team will create a Footprints ticket for tracking and will review the provided information. You will be contacted regarding approval or with additional questions as required.
CCS Information Security
Last Updated: October 25, 2023