Software and System Risk Assessments

The IT Security Assessment Process identifies risks and explores the fitness of planned implementation of a new product to be purchased or developed, a major upgrade, enhancement or the migration of an existing system. eTools, cloud services, network system connections and apps must also go through the IT Security Risk Assessment Process. This process involves multiple units, including UMIT Governance, Information Security and Compliance Team, IT Security Architecture Team, the Privacy Office, and possibly the Office of the General Counsel and/or Purchasing.

The assessment process is as follows:
  1. Access the RFS Form in UService.
  2. Fill in the required details in the RFS form, and click Submit.
  3. UMIT Governance will review RFS and sends IT Security Assessment Form to the requestor.
  4. Requestor with help of Vendor SME Team fills in the UMIT Security Assessment Questionnaire and sends the filled-in questionnaire it to UMIT Governance.
  5. UMIT Governance Team initiates the IT Security Assessment Process.
  6. A Service Now Request will be created for each request and a notification will be sent to the UM Business Owner.
  7. The assessment process may take 2 - 4 weeks to complete based on the complexity of the requested project/implementation.
  8. Once the assessment is complete, the assessment report is sent to the UMIT Governance team.
  9. UMIT Governance team communicates the decision to the requestor.

Some applications, particularly those involving confidential/restricted data may need to have security controls verified, such as by a penetration test or a vulnerability scan, requiring additional time, and possible additional cost.

The instructions to fill the UMIT Security Assessment Questionnaire are available here.