IT Risk Assessment Process
The ITS Risk Assessment (ITRA) process seeks to provide an intuitive and detailed process for overviewing the implementation of a new IT application or device which contains private/confidential data or assists in business Critical functions to RIT as an Institution.
ITRA covers Sections 2 and 5 of the Security Standard for the Solutions Life Cycle Management (SLCM) process. You can find a link to the Security Standard: Solutions Life Cycle Management process in the Links section below.
Private or confidential data is defined in the Information Access and Protection (IAP) Standard.
Business critical data is defined in the Disaster Recovery Standard.
- To determine if the proposed solution involves the use of Private or Confidential Data and/or is Business Critical.
- To provide a better understanding of the potential relative security of an application or service and to identify potential red flags.
- To provide a risk assessment from an IT perspective before deciding to implement the proposed solution into RIT's systems.
- To make sure that the appropriate security controls are in place and effective prior to going live in production.
- Information Security Office
- Provide leadership to the RIT community in safeguarding the confidentiality, integrity and availability of RIT’s information resources.
- Ensure compliance with RIT policies when executing relevant work.
- Business Unit(s)
- Provide guidance to ITS to identify and implement an appropriate information technology solution.
- Investigation Team (PMO or other)
- Coordinate and/or execute the activities required to complete a project investigation.
- Project Team (PMO or other)
- Coordinate and/or execute the activities required to execute/implement a project.
What to Expect
The ITRAP will be a cooperative process combining efforts from the vendor, business unit, and security engineers. The process will be handled in phases, starting with the ITS Information Access & Protection Questionnaire (IAPQ). The IAPQ aims to identify if the solution in question will be handling private/confidential information.
Afterwards the Initial Security Questionnaire (ISQ) will be conducted, in which the vendor will provide ITS with the security features of the suggested solution.
At this time the Security Comparative Review (SCR) may take place in order to find the best solution for RIT’s environment. The SCR is only to take place if two or more products are being considered. The SCR compares the proposed solutions in an attempt to find the best fit.
After a solution is selected, the process will move on to the IT Risk Assessment (ITRA), where the risk and appropriate controls will be identified.
Finally, the Security Validation (SV), in which validation that the identified controls have been implemented, will conclude the process.
There may be instances where two or more of these sub processes will take place at once. For example, the ITRA may take place while waiting for the vendor to complete the ISQ.
All projects that are under investigation and involve ITS are required to follow this process regardless of who is in the role of Investigation Lead.
Scheduling is expected to be managed per the standard ITS Project and Resource Management processes. The ITS Project Management Office (PMO) and ITS Information Security Office (ISO) are responsible for prioritizing and scheduling the efforts required for this process.
A security exception can be requested from ISO to go into production without completing all of the steps in the process. However, the ISO will indicate the expections and duration of the exception prior to being granted.
What if an individual or a project team asks for one of these components to be completed outside of this standard process?
All ad hoc requests for any or all components are to be re-directed to the ISO.
An investigation that involves multiple vendors and has a positive Information Access and Protection Questionnaire (IAPQ) will require an ITS Security Comparative Review (SCR).
RIT’s Solutions Life Cycle Management security standard requires the IAPQ be completed when implementing a new solution which handles private/confidential information and/or provides a critical business proccess to RIT as an institution. The Information Access & Protection (IAP) Standard defines private/confidential data. The RIT Disaster Recovery Security Standard classifies what constitues as a critical bussness process to RIT.
As part of RIT’s annual Enterprise Risk Management (ERM) process, senior leadership and administrators (i.e., vice presidents, associate or assistant vice presidents, deans, directors or other senior officials) are required to identify and assess the enterprise-level risks for which they are responsible.
Refer to the Links section below for more information on the IAP and the Security Standard for the Solutions Life Cycle Management process.
RIT's Information Access & Protection (IAP) Standard requires all RIT organizational units (departments, divisions, etc.) to identify and maintain an inventory of the private, confidential, and internal information they handle or maintain. Refer to the Links section below for more information on the IAP.
The RIT disaster recovery standard defines critical as: “…a process/function which if corrupted, lost, interrupted or made inaccessible during a disruption would pose a significant life, safety, financial, reputation, or other risk to RIT.” Refer to the Links section for more information on the disaster recovery standard.