Technology Services Security and Privacy Risk Assessment

What is this service?

Use this form to request a Security and Privacy Risk Assessment for any new software, service, or technology you plan to introduce. This assessment helps identify potential risks, ensure compliance with organizational policies, and confirm that appropriate safeguards are in place before adoption or implementation. Please provide as much detail as possible so our Technology Services team and Risk Management can accurately evaluate the solution and support you throughout the review process. We will be in touch throughout the process. 

Below is a brief overview of the process:
Project Team Reviews Request Security Documentation Reviewed (including HECVAT and completing Privacy Impact Assessment) Approval or Rejection.

More Detail

  • Campus requests often involve software or cloud services that access private data or connect to critical systems.​​

  • To establish guardrails, a Security and Privacy Risk Assessment is now required prior to implementation of any new software, service, or technology.​​

  • Assessments are conducted in partnership with the Director of Risk Management, Randy Peters.​​

  • Two core components support this process:​

    • Technical Risk Assessment (IT-led)​

    • Privacy Impact Assessment (Requestor + Risk Management)

The Process

 

Privacy & Technical Risk Reviews​

Privacy Risk Review​

Privacy Impact Assessment (PIA)​

  • The Requestor and Director of Risk Management, with IT Services support,complete the PIA.​

  • ​Once complete, the Director of Risk Management approves or rejects the privacy risk.​

Technical Risk Review​

HECVAT (Higher Education Community Vendor Assessment Toolkit)​

  • When received, IT Security Team:​

    • Reviews the HECVAT.​

    • Completes the Technical Risk Assessment Form.​

  • The completed assessment is sent to the Director of IT Services who approves or rejects the technical risk.

Approvals​

Two parallel approval decisions occur:​

  • Privacy Risk: Director of Risk Management​

  • Technical Risk: Director of IT Services​

  • Each can approve or reject based on their assessment.​

  • If rejected the Project Team updates the requestor with reasoning.​

Why is it useful?

This acts as a safety check that identifies security risks before new technology/software is adopted, protecting the organization

How do I access this service?

Click the "Request Service" button to the right.

Who can access this service?

  • Faculty
  • Staff