Difference between revisions of "Information Technology Risk Assessment"

From Help Wiki
(Questions:)
Line 35: Line 35:
 
|Is the technology expected to operate on college computing devices (hosted by C&C) or on the vendor’s computing devices (hosted by the vendor)?
 
|Is the technology expected to operate on college computing devices (hosted by C&C) or on the vendor’s computing devices (hosted by the vendor)?
 
|-
 
|-
 
+
|If the technology operates over the internet, is the data encrypted in transit (https)?
 
+
|-
 
+
|Does this technology use virtual private network (VPN) or secure file transfer protocols (SFTP)?
 +
|-
 +
|What data will be stored using this technology?
 +
|-
 +
|Will there be any personally identifiable (name, SSN, date of birth or physical address) or confidential data (protected by state or federal laws) stored in the device? FERPA data includes all educational records.
 +
|-
 +
|Will the vendor have access to and/or store any personal identifiable data, FERPA data or other confidential data?
 +
|-
 +
|Is the stored data encrypted?
 +
|-
 +
|How is access/security to this technology managed and by whom?
 +
|-
 +
|Will staff have access to all of the data or information stored in this technology? List individuals or groups who will have access. 
 +
|-
 +
|How will the device be stored physically? Describe where it will be kept when in use and when in storage.
 +
|-
 +
|Does the technology support single sign on?
 +
|-
 +
|Does the technology support multi-factor authentication?
 +
|-
 +
|Will the college and vendor exchange any data? If yes, describe the data being exchanged, how it will be exchanged and the security protocol that will be used?
 +
|-
 +
|Describe your data archival and record retention plan.
 +
|-
 +
|Will the vendor return or delete all of the college's data when the contract terminates?
 +
|-
 +
!Accessibility
 +
|-
 +
|Is a Voluntary Product Assessment Template (VPAT) or similar accessibility certification documentation available for the product/service? Please attach.
 +
|-
 +
|Has accessibility testing been performed on this technology within the last 12 months?
 +
|-
 +
|Do you have an plan to mitigate accessibility shortcomings that may arise from the use of this technology?
 +
|-
 +
!Implementation and Support
 +
|-
 +
|Will the vendor require access to college information technology resources or staff?
 +
|-
 +
|Does implementing this technology involve more than one work unit?
 +
|-
 +
|Does this technology require data or integration with other college technology?
 +
|-
 +
|How and who is going to maintain this technology after acquisition/implementation?
 +
|-
 +
|How and who is going to support this technology after acquisition/implementation?
 +
|-
 +
|Was an OCIO Project Risk Assessment completed?
 +
|-
 +
|Is there an investment plan?
 +
|-
 +
|Is there a project plan?
 +
|-
 +
|If the technology will be hosted on-premise, is there a technical feasibility study?
 +
|-
 
|}
 
|}
 
{| class="wikitable"
 
{| class="wikitable"
 
[[Category:Administrative]]
 
[[Category:Administrative]]

Revision as of 16:27, 5 February 2019

Process Defined:

Useful Information for the Review:

Questions:

Procurement
Describe the technology that will be purchased.
What is the annual cost of the contract?
What are the on-going maintenance costs for this service/product?
Is the anticipated total cost less than $10,000 over the life of the contract?
Will there be any costs to the college in addition to this purchase? Please describe
What is the likely duration of the contract?
Will the technology be used by multiple users ? Who will primarily use this product?
Is the technology for academic and/or classroom use?
Provide a copy of the vendor’s terms & conditions including the End User license Agreement (EULA) or URL where they are located.
Are there any cooperative contracts available? Please describe.
Have you identified the key features  and functionalities that you expect from this technology? Please describe or attach a list of requirements.
Data Security
Is the technology expected to operate on college computing devices (hosted by C&C) or on the vendor’s computing devices (hosted by the vendor)?
If the technology operates over the internet, is the data encrypted in transit (https)?
Does this technology use virtual private network (VPN) or secure file transfer protocols (SFTP)?
What data will be stored using this technology?
Will there be any personally identifiable (name, SSN, date of birth or physical address) or confidential data (protected by state or federal laws) stored in the device? FERPA data includes all educational records.
Will the vendor have access to and/or store any personal identifiable data, FERPA data or other confidential data?
Is the stored data encrypted?
How is access/security to this technology managed and by whom?
Will staff have access to all of the data or information stored in this technology? List individuals or groups who will have access.
How will the device be stored physically? Describe where it will be kept when in use and when in storage.
Does the technology support single sign on?
Does the technology support multi-factor authentication?
Will the college and vendor exchange any data? If yes, describe the data being exchanged, how it will be exchanged and the security protocol that will be used?
Describe your data archival and record retention plan.
Will the vendor return or delete all of the college's data when the contract terminates?
Accessibility
Is a Voluntary Product Assessment Template (VPAT) or similar accessibility certification documentation available for the product/service? Please attach.
Has accessibility testing been performed on this technology within the last 12 months?
Do you have an plan to mitigate accessibility shortcomings that may arise from the use of this technology?
Implementation and Support
Will the vendor require access to college information technology resources or staff?
Does implementing this technology involve more than one work unit?
Does this technology require data or integration with other college technology?
How and who is going to maintain this technology after acquisition/implementation?
How and who is going to support this technology after acquisition/implementation?
Was an OCIO Project Risk Assessment completed?
Is there an investment plan?
Is there a project plan?
If the technology will be hosted on-premise, is there a technical feasibility study?