ITS Risk Assessment Process Overview

ITS Risk Assessment Process Overview

The ITS Risk Assessment (ITRA) process seeks to provide an intuitive and detailed process for overviewing the implementation of a new IT application or device which contains private/confidential data or assists in business Critical functions to RIT as an Institution. 

ITRA covers Sections 2 and 5 of the Security Standard for the Solutions Life Cycle Management (SLCM) process. You can find a link to the Security Standard: Solutions Life Cycle Management process in the Links section below.

Private or confidential data is defined in the Information Access and Protection (IAP) Standard.

Business critical data is defined in the Disaster Recovery Standard.

Goals

  1. To determine if the proposed solution involves the use of Private or Confidential Data and/or is Business Critical.
  2. To provide a better understanding of the potential relative security of an application or service and to identify potential red flags.
  3. To provide a risk assessment from an IT perspective before deciding to implement the proposed solution into RIT's systems.
  4. To make sure that the appropriate security controls are in place and effective prior to going live in production.

Organizations

  • Information Security Office
    • Provide leadership to the RIT community in safeguarding the confidentiality, integrity and availability of RIT’s information resources.
  • ITS
    • Ensure compliance with RIT policies when executing relevant work.
  • Business Unit(s)
    • Provide guidance to ITS to identify and implement an appropriate information technology solution.
  • Investigation Team (PMO or other)
    • Coordinate and/or execute the activities required to complete a project investigation.
  • Project Team (PMO or other)
    • Coordinate and/or execute the activities required to execute/implement a project.

Roles

  • Information Security Officer
  • ITS Security Engineer
  • Investigation Lead
  • Investigation Team Member
  • ITS PMO Director
  • ITS I&O Director
  • Business Unit Information Trustee
  • Project Manager
  • Project Team Member

What to expect

The ITRAP will be a cooperative process combining efforts from the vendor, business unit, and security engineers. The process will be handled in phases, starting with the ITS Information Access & Protection Questionnaire (IAPQ). The IAPQ aims to identify if the solution in question will be handling private/confidential information.

Afterwards the Initial Security Questionnaire (ISQ) will be conducted, in which the vender will provide ITS with the security features of the suggested solution.

At this time the Security Comparative Review (SCR) may take place in order to find the best solution for RIT’s environment. The SCR is only to take place if two or more products are being considered. The SCR compares the proposed solutions in an attempt to find the best fit.

After a solution is selected, the process will move on to the IT Risk Assessment (ITRA), where the risk and appropriate controls will be identified.

Finally, the Security Validation (SV), in which validation that the identified controls have been implemented, will conclude the process.

There may be instances where two or more of these sub processes will take place at once. For example, the ITRA may take place while waiting for the vender to complete the ISQ.

For More Information

Links: