Information Technology Guideline 08.1.1

Solutions Discovery Analysis and System Risk Assessment Guideline


Date of Current Revision or Creation:ÌýOctober 2024


The purpose of an Information Technology Standard is to specify requirements for compliance with ±¬ÁÏ¹Ï Information Technology policies, other University policies, as well as applicable laws and regulations. Standards may include business principles, best practices, technical standards, migration and implementation strategies, that direct the design, deployment and management of information technology.

Purpose

TheÌýpurpose of this guideline is to support University Policy 3509 and to ensure that software-based technologies, applications and services meet University information technology requirements, are compatible with existing technology standards and services, andÌýareÌýaligned with information technology priorities without introducing unnecessary service interruptions or other risks to the efficient operation of business at the University.Ìý

Definitions

Data Compliance OwnersÌý–ÌýAs defined in Information Technology Services Standard 01.2.0 – IT Security Roles & Responsibilities, University employees (typically at the level of Unit Leader) who oversee data management functions related to the capture, maintenance, and dissemination of data for a particular operational area. They are responsible for decisions about the usage of institutional data under their purview.ÌýData Compliance Owners understand the compliance requirements for their data, designate the compliance level of their data, and approve access to their data.ÌýUniversity Data Compliance Owners oversee compliance for data that is shared or leveraged across the University, such as HR, Finance, Financial Aid, and Student FERPA data. Departmental Data Compliance Owners oversee the data that is specific to the departmental application or system that is not overseen by one or more of the University Data Compliance Owners.

Information Security Governance, Risk, and Compliance (GRC) – A strategic functional unit within the University Information Security Office serving the campus community by assisting with meeting compliance of federal and state regulations; University policies, standards, and guidelines; and managing potential security risks to the University. The GRC team also seeks to provide University leadership with the tools needed to make informed risk-based decisions that best support the mission of the University.

Project Management Office (PMO)Ìý–ÌýA strategic functional unit within the Office of Information Technology Services (ITS) that promotes and advances project management principles and services for information technology (IT) projects at ±¬ÁϹÏ.Ìý

ServicesÌý– Professional services to include consulting, design, organize, and manage University environments to include access to University data, to assist or do work on behalf of University employees.

SoftwareÌýTechnologies and ApplicationsÌý– ComputerÌýprograms orÌýaÌýgroup ofÌýcomputerÌýprogramsÌýand related dataÌýthatÌýprocesses, stores, or accesses University data, operates on orÌýinteract with the University systems and information technology resources.ÌýThese include, but are not limited to,Ìýsystem software, application software, and programming software,Ìýwhether delivered as software as a service (cloud), hosted, or on-premises installed on ±¬ÁÏ¹Ï systems.

System Compliance OwnerÌý– As defined in Information Technology Services Standard 01.2.0 – IT Security Roles & Responsibilities, a manager or departmental head responsible for operation and maintenance of a University IT system or overseeing hosted systems under their purview. System Compliance Owners are responsible for the overall compliance and security of their system.

Guidelines

University Policy 3509 establishes the practice that for software technologies, applications and services, prior to procurement, the requesting department will initiate a Solutions Discovery Analysis to assess integration requirements with existing University services, systems and standards, and operational support requirements.Ìý

University Policy 3504, Data Administration Policy, establishes the need for IT security roles and responsibilities, and ITS Standard 01.2.0, IT Security Roles and Responsibilities, establishes the System Compliance Owner as the one responsible for operation and maintenance of University IT systems or hosted systems under their purview, including adhering to University policy and standards, managing the risks and maintaining compliance associated with their systems. ITS and Procurement Services support the System Compliance Owner in their role as stewards of the systems that they oversee.

NEW PURCHASES

  1. For new purchases of software technologies, applications and services, the requester shall initiate a Solutions Discovery Analysis (SDA) via the ITS Project Management Office, which assists with initial information gathering. This is typically submitted prior to submission to Procurement Services for purchase, however requests originating from Procurement Services will be referred to the SDA process initiation. ITS will assist in the completion of the Solutions Discovery Analysis and resulting summary that informs the System Compliance Owner and others regarding:

    • Regulatory compliance
    • Data classification
    • Documentation of risk, when warranted
    • Whether a contract addendum is required, and which contract addendum applies
    • Whether a third-party assessment is required
    • How authentication and account management are addressed
    • Whether remote access is required to the ±¬ÁÏ¹Ï network
    • Whether an ITS project is likely needed
    • IT security roles and responsibilities for System Compliance Owner and Data Compliance Owner(s), System Administrator, Application Administrator
    • Sign-off by System Compliance Owner and Data Compliance Owner(s), and other roles as applicable
  2. Once the SDA summary is complete, the appropriate 3rd party security and controls assessments are collected and reviewed when applicable, and the summary is accepted by the System Compliance Owner and Data Compliance Owner(s) and, other appropriate stakeholders, the product can move forward with Procurement Services. In the event risks are identified through the review process, the System Compliance Owner and Data Compliance Owner are made aware. For SDAs with restricted data, the review is shared with CISO and CIO for awareness. The CISO and CIO determine if the risks need to be elevated to the responsible Vice President or Associate/Assistant Vice President or appropriate stakeholder acceptance based on business necessity versus the identified risks.
  3. Risk-based decisions may be made by the System Compliance Owner, in collaboration with the Data Compliance Owner and Information Security GRC, for Procurement Services to enter into and execute a contract after the Solutions Discovery Analysis has been signed off by appropriate parties.ÌýThis includes acceptance by the System Compliance Owner of modifications to the addendum for protecting hosted data and residual risks identified in the Solutions Discovery Analysis Summary.ÌýData Compliance Owners have the discretion to deny the sharing of data under their stewardship.ÌýIn the event a vendor will not sign or execute the University data addendum to accompany, Risk and Compliance may share the vendor agreement with University Counsel for review as warranted.
  4. If, in the assessment of the System Compliance Owner, Data Compliance Owner or CISO, the risks fall outside of what is considered acceptable based on numerous factors, but the business need for the system requires purchase, the responsible Vice President, Associate/Assistant Vice President or appropriate stakeholder can accept the risks on behalf of the University via sign-off of the Solutions Discovery Analysis summary.
  5. Information Security GRC can determine if exceptions to the Solutions Discovery Analysis can be made for IT purchases that do not inherently require such an analysis, or that are reviewed and implemented through different processes, such as:
    • Desktop software that involves no cloud storage of protected data, no remote access requirement, and is implemented according to applicable ITS Standards.

      • Example: Word Processor with templates that are stored in cloud
    • Academic, instructional or research desktop software that involves no cloud storage of protected data, no remote access requirement, and does not introduce privacy or security considerations.
    • Subscription SaaS (Software as a Service) solutions that license access to third-party data or services that don’t involve ±¬ÁÏ¹Ï sharing protected data or integration with ±¬ÁÏ¹Ï systems.
      • Example: Subscription access to business data used for SCoB business analysis
    • SaaS software that does not involve regulated data and/or is considered lower risk may receive minimal documentation and contract support or be exempt from a review. Data that falls into class 4 and under $5000 may be exempt from any review. Data that falls in class 5 may be exempt from any review.
      • Examples: browser-based image editor, or other hosted solutions involving no regulated data
    • Site Licensed software that is managed by ITS, has no cloud storage of data, and is implemented according to applicable ITS Standards.
    • Commodity hardware such as routers, switches, rack servers, etc. that do not have a new software component.
    • Software technologies, services and systems that do not meet the criteria established in University Policy 3509 Solutions Discovery Analysis Policy.

Third-party assessments may be industry standard SOC II type reports, or a report that provides a similar assurance relative to the risks involved.

  • For all systems involving regulated or restricted data, prior to procurement processing and\or contract execution, the System Compliance Owner or ITS reviewer will seek to collect a third-party assessment report prior to purchase, and appropriate review will be made by Information Security GRC based on the risks associated with the system.ÌýReports will be reviewed for restricted systems, and reports may be reviewed for confidential systems. Reports for confidential systems or systems with data classifications 2-4, a HECVAT, Security White Papers, or other vendor provided documentation would be acceptable.

    • For FERPA protected confidential data that is classified as Directory Information according to our Student Data Compliance Owner, no third-party assessment will be required.
    • For Payment Card Industry or PCI compliance where payments are collected, if the only regulatory implications include PCI compliance and no other regulated data, an Attestation of Compliance or AoC will be collected along with a completed SDA summary. The AoC will then be shared with Office of Finance’s PCI Compliance team for vendor PCI management and will not warrant further review by Information Security GRC unless there are changes to the posture of the system or service.
    • 3rd party assessment acceptable documentation includes but not limited to SOC 2 Type 2, HITRUST, ISO certification, AoC, etc.
  • For systems with restricted data, the System Compliance Owner or ITS reviewer will collect the third-party assessment annually thereafter, prior to any renewal of the contract, which will be shared with and reviewed by Information Security GRC.
  • If a vendor is unable to provide an up-to-date SOC II type II report, a bridge letter is acceptable pending the bridge letter review by Information Security GRC.
  • For systems with restricted data, a best effort will be made to collect a vendor’s subservice SOC, but not a requirement to move forward with the SDA review and purchase.

System Risk Assessments are related to the risk portion of the Solutions Discovery Analysis and are completed according to 08.01.0 Risk Assessment Standard.

  • For new systems that are classified as restricted Class 1 data (per ITS Standard 02.3.0 Data Administration and Classification Standard 02.3.0), and/or BIA immediate during the Solutions Discovery Analysis, a System Risk Assessment will be conducted by the System Compliance Owner with assistance from Information Security GRC within a year of purchase.
  • For new systems classified as confidential Class 2 through 3, during the Solutions Discovery Analysis, the SDA Summary will serve as the system risk assessment.Ìý
  • For lower risk systems such as Data Classification 4 and 5, completion of a full risk review is a low priority and should not infringe upon efficient operations and may be determined as exempt per exemption criteria as stated above If not determined as exempt, a review should be conducted within the year or prior to renewal.

RENEWALS

At time of renewal, Procurement Services will follow their Technology Software Renewal Guideline to support System Compliance Owners in renewing contracts.Ìý

If there is no Solutions Discovery Analysis Summary or System Risk Assessment on record, a best effort will be made to conduct a review before renewal.

  • The Solutions Discovery Analysis for renewals is handled according to the same procedure as with new purchases.
  • Procurement Services may continue with renewals for existing services to maintain availability of services.ÌýIn that case, a Solutions Discovery Analysis or System Risk Assessment will be scheduled by the System Compliance Owner and/or Information Security GRC as soon as is practical but no later than one year from the time of the contract and will be made available to Procurement Services.

Standards, Procedures, Guidelines & Other Related Information

Ìý

History

Date Responsible Party Action
September 2018 Information Security Office Created
July 2019 Information Security Office Updated
October 2024 Information Security Office Updated