IT Risk Assessment Process (ITRAP) FAQ

General

Which projects should follow the IT Risk Assessment (ITRA) Process?


All projects that are under investigation and involve ITS are required to follow this process regardless of who is in the role of Investigation Lead.

How will this new work be prioritized and scheduled?

Scheduling is expected to be managed per the standard ITS Project and Resource Management processes. The ITS Project Management Office (PMO) and ITS Information Security Office (ISO) are responsible for prioritizing and scheduling the efforts required for this process.

Can there be exceptions in this process?

A security exception can be requested from ISO to go into production without completing all of the steps in the process. However, the ISO will indicate  the expections and duration of the exception prior to being granted.

What if an individual or a project team asks for one of these components to be completed outside of this standard process?

All ad hoc requests for any or all components are to be re-directed to the ISO.

When considering products from multiple vendors:

An investigation that involves multiple vendors and has a positive Information Access and Protection Questionnaire (IAPQ) will require an ITS Security Comparative Review (SCR).

Why is the IAPQ required?

RIT’s Solutions Life Cycle Management security standard requires the IAPQ be completed when implementing a new solution which handles private/confidential information and/or provides a critical business proccess to RIT as an institution. The Information Access & Protection (IAP) Standard defines private/confidential data.  The RIT Disaster Recovery Security Standard classifies what constitues as a critical bussness process to RIT.

As part of RIT’s annual Enterprise Risk Management (ERM) process, senior leadership and administrators (i.e., vice presidents, associate or assistant vice presidents, deans, directors or other senior officials) are required to identify and assess the enterprise-level risks for which they are responsible.

Refer to the Links section below for more information on the IAP and the Security Standard for the Solutions Life Cycle Management process.

Why are representatives from the business unit being asked to fill out the IAPQ and not ITS?

RIT's Information Access & Protection (IAP) Standard requires all RIT organizational units (departments, divisions, etc.) to identify and maintain an inventory of the private, confidential, and internal information they handle or maintain. Refer to the Links section below for more information on the IAP.

How should I determine if an application is business critical?

The RIT disaster recovery standard defines critical as: “…a process/function which if corrupted, lost, interrupted or made inaccessible during a disruption would pose a significant life, safety, financial, reputation, or other risk to RIT.” Refer to the Links section for more inforamtion on the disaster recovery standard.

Links

RIT’s Information Access & Protection (IAP) Standard: http://www.rit.edu/security/content/information-access-protection-standard

Security Standard: Solutions Life Cycle Management (SLCM): http://www.rit.edu/security/content/solutions-life-cycle-management.

Disaster Recovery Standard: https://www.rit.edu/security/content/disaster-recovery