IT Risk Assessment Process (ITRAP) FAQ

General

Which projects should follow the IT Risk Assessment Process (ITRAP)?


All projects that are under investigation and involve ITS are required to follow this process regardless of who is in the role of Investigation Lead.

How will this new work be prioritized and scheduled?

Scheduling is expected to be managed per the standard ITS Project and Resource Management processes. When needed, the PMO Director is responsible for prioritizing any conflicts.

Can there be exceptions in this process?

A security exception can be requested from ISO to go into production without completing all of the steps in the process. However the ISO will expect all of the steps to be completed within 6 months of the exception being granted.

What if an individual or a project team asks for one of these components to be completed outside of this standard process?

All ad hoc requests for any or all components are to be re-directed to the PMO Director.

When considering products from multiple vendors:

An investigation that involves multiple vendors and has a positive Information Access and Protection Questionnaire (IAPQ) will require an RF.

Why is the IAPQ required?

RIT’s Solutions Life Cycle Management security standard requires the IAPQ be completed when implementing a new solution which handles private or confidential/business critical data. The Information Access & Protection (IAP) Standard defines private/confidential data.

Filling out the IAPQ facilitates the ERM process by allowing ITS to follow processes as IT subject matter experts.

As part of RIT’s annual ERM process, leaders (senior leadership and administrators, i.e., vice presidents, associate or assistant vice presidents, deans, directors or other senior officials) are required to identify and assess the enterprise-level risks for which they are responsible.

Refer to the Links section below for more information on the IAP and the Security Standard for the Solutions Life Cycle Management process.

Why are representatives from the business unit being asked to fill out the IAPQ and not ITS?

RIT's Information Access & Protection (IAP) Standard requires all RIT organizational units (departments, divisions, etc.) to identify and maintain an inventory of the private, confidential, and internal information they handle or maintain. Refer to the Links section below for more information on the IAP.

How should I determine if an application is business critical?

The RIT disaster recovery standard defines critical as: “…a process/function which if corrupted, lost, interrupted or made inaccessible during a disruption would pose a significant life, safety, financial, reputation, or other risk to RIT.” Refer to the Links section for more inforamtion on the disaster recovery standard.

Links

RIT’s Information Access & Protection (IAP) Standard: http://www.rit.edu/security/content/information-access-protection-standard

Security Standard: Solutions Life Cycle Management (SLCM): http://www.rit.edu/security/content/solutions-life-cycle-management.

Disaster Recovery Standard: https://www.rit.edu/security/content/disaster-recovery