Skip to content

Security Review Process

The Information Security Office (ISO) conducts security reviews of new services or projects that handle High and Moderate Risk Data. Reviews of systems handling Low Risk Data are optional, and ISO may conduct such reviews as necessary.

Initial Steps:

In order to initiate the review process, complete the preparation steps listed below:

  1. Open a HelpSU ticket --> select "Privacy and Information Security" and "Request Privacy and Security Review" to initiate the review
  2. Identify the point of contact for this review
  3. Complete the intake form and ensure the information below is included if applicable
  4. Data flow diagram (how the data flows through all system components)
  5. Architecture diagram showing how firewalls, routers, and other devices are set up
  6. If third party (e.g. vendors, service providers), ensure the following information is provided:
    • Documentation of whether the vendor has gone through any third party security attestations (e.g. SSAE 16 SOC I, II, etc.)
    • Business Associate Agreements (BAAs) or other contracts in place between the relevant parties
    • Vendor's Security and Software Development Life cycle (SDLC) policies
    • Vendor's disaster recovery plans and Vendor's penetration test results

ISO steps:

  1. Review the information provided
  2. Contact the requestor and coordinate a meeting with requestor and key stakeholders
    • Depending on the issues identified during this meeting, we might request further information and/or schedule meetings, as needed
  3. We will be communicating our initial issues and recommendations to requestor/customer during meetings and providing periodic status updates
  4. We will send a draft copy of the report for validation and understanding. Also to allow for an opportunity to provide additional mitigating information if needed
  5. Final report will be issued
Last modified: 07/16/2015 11:20:31 AM