Requesting a Technology Risk Assessment

Issue/Question

What is a Technology Risk Assessment? Do I need to request a Technology Risk Assessment? 

Environment

• SDezBuy
• New Software and/or Hardware

Cause

• Acquiring (regardless of cost) non-standard technology which may not comply with state/federal laws or University policy or may involve risk to the University 
• Acquiring (regardless of cost) new technology which involves confidential or restricted data
• Integrating applications into cloud apps like Teams or Zoom

Resolution

• Any technology solution, regardless of cost, must conform to University policy to protect restricted or confidential information
• Technology Risk Assessments are required when:
  • Acquiring non-standard technology or
  • Integrating a cloud app with Teams or Zoom
• When using or purchasing new technology start with a Project Estimate Request
• Technology Risk Assessment may require multiple reviews which can be performed concurrently

Questions and Answers

When acquiring software or hardware that is not part of an existing University standard, consider these questions:

• Are you integrating a cloud application with Zoom or Teams?
  Cloud applications are evaluated by Information Technology Services (ITS) using the Microsoft Cloud App Security (MCAS) Cloud App Catalog.
• Are you acquiring a cloud application?
  Cloud applications are software that does not run in the University datacenter. The University uses the Higher Education Community Vendor Assessment Tool (HECVAT) to evaluate the security of cloud applications that store sensitive data including student records, protected health information, cardholder data, and non-public personal information.
• Are you acquiring desktop software or server software?
  The University uses a standard form to evaluate commercial off-the-shelf (COTS) software.
• Are you acquiring software with accessibility requirements?
  Section 508 requires website content to be accessible to people with disabilities. Academic software used in the delivery of coursework is likely to have accessibility requirements.
• Are you acquiring an application that will require enterprise integration?
  Software applications often integrate with Banner for accurate student or employee information. Many applications may also support single sign-on (SSO) making it safer and easier for students, faculty, and staff to access resources using University credentials.
• Are you acquiring an application that will store, process, or transmit any of the following types of information?
  • Student Records
    Student Records are protected by the Family Educational Rights and Privacy Act (FERPA), and some software vendors must include the appropriate language in their contract indicating their compliance.
  • Payments
    Credit card information, also known as cardholder data, is protected by the Payment Card Industry Data Security Standard (PCI-DSS). 
  • Protected Health Information (PHI)
    PHI is protected by the Health Insurance Portability and Accountability Act (HIPAA), and software applications may be required to comply. .
  • Non-public personal information (NPI)
    NPI is personally identifiable financial information and is protected by the Gramm Leach Bliley Act (GLBA). This type of information is most often associated with financial aid records at a University.