Purpose
To assure UI data is handled, and systems are operated, compliant with UI policy and IT standards required by Data Classification and Standards (APM 30.11). When using, purchasing, or renewing systems or vendors, OIT requires identification of the risks associated with a particular product or service for the intended use. A Risk Assessment must be completed by the OIT Information Security Office before the University acquires or utilizes external information systems.
Pre-assessment Checklist
Software being requested has a cloud component,
AND at least one of these conditions apply:
Software is not found in the TeamDynamix Application Portfolio.
Software does not have a V/ASA completion or IT Governance date listed listed in the Application Portfolio.
- Being used currently at U of I does not qualify as being approved, only that it is currently used. Reasons vary: exceptions, grandfathering, shadow IT etc.
Pre-requisites
All assessments are primarily based on processing, transmitting, and/or storing of data in conjunction with the privileged access the user(s) of the requested application may have. The following information will help requestors understand what the required minimum documentation for assessment is concerning the data risk classification in scope. First, classify the data used by the application. Then classify the data that may already be on the machine (examples: is this machine used to store high risk data like SSNs? Is student data processed, stored, or otherwise used on this machine? etc). Finally, classify the user based on your knowledge of their access to high risk data.
Classifications
This will be referenced and asked during this process so please classify the data and the user accessing the data. This is typically done by asking the requestor the 5 questions below. Use the answers the requestor gives you to classify the data.
- Personally Identifiable Information (PII) (e.g., name, DOB, SSN, birthplace, address, or mother's maiden name, etc.)?
- Credit card payment information (aka PCI or PCI-DSS)?
- Protected Health Information (PHI or ePHI) under the definition of the Health Insurance Portability and Accountability Act (HIPAA)?
- Federally Funded Research data (that is protected by the Federal Information Security Management Act (FISMA) or any other data use standard)?
- Family Educational Rights and Privacy Act (FERPA) data?
Data, accounts, and systems must be classified according to the highest risk data that they process (APM 30.11 B-3).
Data Classification
- Low Risk: The potential effect of loss of confidentiality, integrity, or availability could be expected to have only a limited adverse effect on the university operations, individuals, or assets.
- Example: published public information including press releases, directory information, or research data not otherwise confidential or regulated.
- Moderate Risk: The potential effect of loss of confidentiality, integrity, or availability could be expected to have a serious adverse effect on university operations, individuals, or assets.
- High Risk: The potential effect on loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on university operations, individuals, or assets.
- Example: private information that must be protected by law or industry regulation (Federally funded research, HIPAA / ePHI, Social Security Numbers, driver’s license numbers, bank or credit account numbers).
User Classification
- User: access to Low / Moderate Risk data.
- HAU: access to High Risk data (on any machine).
Gather the Documentation
Minimum Required Documentation |
Low Risk |
Moderate Risk |
High Risk |
Vendor/Application Scoping Document |
Yes |
No |
No |
University of Idaho Data Classification Tool
(Select Vendor Security Assessment in the first drop down) |
Optional |
Yes |
Yes |
Security Questionnaire ** |
Optional |
Yes |
Yes |
SOC 2 Report (Security Team can help acquire if necessary)
w/ Bridge letter for date coverage gaps |
Optional |
Optional |
Yes
|
VPAT / ACR (IT Accessibility Report) |
If Available |
If Available |
If Available |
Types of Security Questionnaires Accepted **
- Requester / TSP should fill out:
AND one of the following:
Vendor Scoping Document Information
- Vendor / Product web page
- Short vendor / product description:
- Installation and use (choose one):
- Local:
- download installer, no internet access required for function,
- Cloud:
- Hybrid:
- local download that works with a web app and/or data storage outside UI networks / resources,
- What is the application used for?
- How is this application updated/patched?
- What is the Data Classification of the information processed, stored, and/or transmitted by the application?
- What is the User classification, if known?
- What is the scope of application usage (choose one):
- Individual
- Groups of users
- Department(s)
- University wide
Vendor Security Assessment Info