Software and System Risk Assessments

The IT Security Assessment Process identifies risks and explores the fitness of a planned implementation of a new product to be purchased or developed, a major upgrade, enhancement or the migration of an existing system. eTools, cloud services, network system connections and apps must also go through the IT Security Risk Assessment Process. This process involves multiple units, including UMIT Governance, Information Security and Compliance Team, IT Security Architecture Team, the Privacy Office and possibly the Office of the General Counsel and/or Purchasing.

The assessment process is as follows:
  1. Download the RFS Form.
  2. Fill in the required details in the RFS form.
  3. Send an email to UMIT Governance Team (, along with filled in RFS Form.
  4. UMIT Governance will review RFS and sends IT Security Assessment Form to the requestor.
  5. Requestor with help of Vendor SME Team, fills in the UMIT Security Assessment Questionnaire and sends the filled in questionnaire it to UMIT Governance.
  6. UMIT Governance Team initiates the IT Security Assessment Process.
  7. A Service Now Request will be created for each request and a notification will be sent to the UM Business Owner.
  8. The assessment process may take 2 - 4 weeks to complete based on the complexity of the requested project/implementation.
  9. Once the assessment is complete, the assessment report is sent to the UMIT Governance team.
  10. UMIT Governance team communicates the decision to the requestor.

Some applications, particularly those involving confidential/restricted Data may need to have security controls verified, such as by a penetration test or a vulnerability scan, requiring additional time and possible additional cost.

The instructions to fill the Security Assessment questionnaire are documented here.