Security Design Reviews and Risk Assessments

IT systems such as Banner or Canvas are critical to the operations of the University and must be kept secure.  To achieve our security goals, systems must be evaluated against our policies, standards and guidelines to identify control gaps, and manage risk. The ISO provides security design review and IT risk assessment services to assist IT system owners with the evaluations.    

The ISO is focused on protecting internet facing systems (e.g., our website) and on systems that process or store personally identifiable information or other privacy protected information such as educational or health records (e.g., Banner). A system can be an application, a piece of hardware, or a collection of software and hardware.  A system can be a vendor solution or an internally created application (e.g., esign).  Internal systems and applications that do not process or store PII or other protected confidential data can be exempted from review. For systems in scope, the ISO partners with IT system owners and technical lead to do a security design review and risk assessment at the time of system purchase.  Security design reviews and risk assessments also need to be updated every three years or when substantial changes are made to the system. 

Performing a security design review with a risk assessment has three steps:

• The vendor, technical lead and business owner fill out templates provided by the Information Security Office.
• The technical lead creates a diagram of the solution showing system components, security boundaries, and information flows.
• The technical lead, business owner, and ISO meet to discuss the templates and to identify security gaps and mitigation measures.  They also complete the risk assessment by identifying threats, the likelihood the threats will be realized, then calculating the final risk score.

Many of our systems are "software as a service" or SaaS systems.  For these cases, the vendor will be asked to fill out a security design review template. Some questions, such as user roles and access, will have to be answered by the business owner and technical lead.  For on-premises systems, vendors can also answer some of the questions, but a greater percentage will likely be answered by University personnel.

When purchasing new products, please see our page on Security for New IT Purchases.

If you would like to learn more about managing IT system risk, please see these resources: 

• NIST Risk Management Framework for Information Systems and Organizations
• Application architecture review | Infosec (infosecinstitute.com)
• Cybersecurity Architecture Overview

Please email the Information Security Office and let us know about your IT project.  Please let us know the contact information for the business owner, technical lead, and vendor.  We also need a list of the confidential data the application will be storing and/or processing.