Security Design Reviews and Risk Assessments

IT systems such as Banner or Canvas are critical to the operations of the University and must be kept secure.  To achieve our security goals, systems must be evaluated against our policies, standards and guidelines to identify control gaps, and manage risk. The ISO provides security design review and IT risk assessment services to assist IT system owners with the evaluations.    

The ISO is focused on protecting internet facing systems (e.g., our website) and on systems that process or store personally identifiable information or other privacy protected information such as educational or health records (e.g., Banner). A system can be an application, a piece of hardware, or a collection of software and hardware.  A system can be a vendor solution or an internally created application (e.g., esign).  Internal systems and applications that do not process or store PII or other protected confidential data can be exempted from review. For systems in scope, the ISO partners with IT system owners and technical lead to do a security design review and risk assessment at the time of system purchase.  Security design reviews and risk assessments also need to be updated every three years or when substantial changes are made to the system. 

Performing a security design review with a risk assessment has three steps:

• The vendor, technical lead and business owner fill out the HECVAT and Risk Assessment templates provided by the Information Security Office. Note that vendors often have the HECVAT pre-filled and can just send it to you.  Some questions, such as user roles and access, will have to be answered by the business owner and technical lead, however.  For on-premises systems, vendors can also answer some of the questions, but a greater percentage will likely be answered by the project team.
• The technical lead creates a diagram of the solution showing system components, security boundaries, and data/information flows.  The vendor can also provide a diagram or participate in the process.
• The technical lead, business owner, and ISO meet to discuss the templates and to identify security gaps and mitigation measures.  They also complete the risk assessment by identifying threats, the likelihood the threats will be realized, then calculating the final risk score.

When purchasing new products, please see our page on Security for New IT Purchases.

If you would like to learn more about managing IT system risk, please see these resources: 

• NIST Risk Management Framework for Information Systems and Organizations
• Application architecture review | Infosec (infosecinstitute.com)
• Cybersecurity Architecture Overview

Please email the Information Security Office and let us know about your IT project.  Please let us know the contact information for the business owner, technical lead, and vendor.  We also need a list of the confidential data the application will be storing and/or processing.