It’s Data Privacy Week and ITS is celebrating by helping to spread awareness about data privacy. It is both an individual and organizational responsibility to protect data. While individuals can make choices to safely store and access their own data, organizations must have processes in place for managing and protecting large amounts of data.
UNC-Chapel Hill collects and stores lots of potentially sensitive data, including bank account and payment data, health information and personally identifiable information and employment records. Because this data is essential to the University, the University must take an active and ongoing role in protecting it.
As part of protecting data, UNC-Chapel Hill uses an IT risk assessment process. We asked Tashia Mccormick, Risk Team Lead with the Information Security Office (ISO), and Kim Stahl, Senior Policy and Process Lead with the IT Policy Office, to answer some common questions about how the University assesses risk to safeguard data.
What is an IT security risk assessment?
A risk assessment reviews software, products, and/or services to evaluate the potential for loss or harm as it relates to information security. Risk assessments are typically conducted by the central Information Security Office in Information Technology Services or the School of Medicine Security Office.
Why are risk assessments important?
Risk assessments are necessary to help identify security risks and evaluate the threat they pose to the confidentiality, availability and integrity of University systems and/or data. The ultimate goal is to reduce risks to an acceptable level.
Do I need a risk assessment?
A risk assessment is required for any system that touches or uses sensitive information, also known as Tier 2 or 3 University data, or is considered mission critical.
How and when are risk assessments typically initiated?
Send a request using the University Data Assistance form using the Service Portal. That will start both the IT Security Risk Assessment and the data governance review. If an earlier review was completed, you can include that information and likely shorten the time needed.
A risk assessment can be initiated early. Too often, the need for one isn’t caught until the last minute during the purchasing process when a Data Protection Checklist (DPC) form brings it to light. That’s meant to be a safety net to make sure the process happens. The risk assessment and other reviews can often be done well in advance. Consult with your department’s Information Security Liaison (ISL) or local IT support and/or via a ServiceNow request.
Purchasing Services requires departments to attach a Data Protection Checklist to requisitions for software purchases and contract renewals. The checklist indicates if sensitive information is involved with the request. If sensitive information is in scope, you will need to document your data governance review and risk assessment. If those weren’t done earlier, then that’s the time to send your University Data Assistance request.
How do I determine if a risk assessment has already been conducted on the software or service I want to purchase or use?
Check out the UNC Purchasing Guide on Safe Computing at UNC to determine if a risk assessment has already been conducted for a specific vendor product or use the guide to determine if a product or service with similar functionality has already been vetted and approved for use. Keep in mind that in most cases a review will be needed for your particular use. That’s almost always the case for Tier 3 data. The Purchasing Guide shows products that have succeeded in the past, and the ISO has a previous assessment to start with.
If your unit already had an earlier assessment, including if this is a renewal, you can attach the summary to the request, or refer to a previous request in ServiceNow to document it.
If the software or product I am interested in using appears in the Purchasing Guide, can I use it and bypass the risk assessment process?
Not necessarily. It depends on the type of data in scope for your request, and the type of application. Some systems, like Microsoft 365, have broad approval to store most types of data and for you to use them in expected ways without a new review. Other products have narrower reviews for many reasons.
If the sensitivity level of the data to be used expands from Tier 0/1 to Tier 2 or from Tier 2 to 3, an updated or new risk assessment may be required. This makes sure that a system considered safe enough for a lower level of data is doing all the things needed to protect that higher level of data.
The Data Governance Oversight Group (DGOG) will probably require a data review to ensure data usage has been appropriately identified, reviewed and approved. That is almost always needed for a new use of Tier 3 data. And it is often needed for uses of Tier 2 data that weren’t included in a system’s original reviews. Be sure to pay close attention to the scope notes section of the Purchasing Guide to determine if additional vetting is required.
What is a data governance review?
An IT Security risk assessment asks, “is it safe enough?” A data governance review asks, “is it an acceptable and a good idea?” The data governance review is meant to be a check on whether a planned data use is acceptable.
The data governance review may include questions like:
- Legally, is the use OK under the innumerable laws covering the University, like HIPAA or FERPA, or our state human resources or public records laws? Maybe we have a contract that controls what we can do with the data. Is it OK to put this particular data on a system hosted outside the country?
- Is it the use that was planned and explained when the data was collected, or is this a new use of data that might not have been originally planned for? Is that OK?
- And in the end, does the University want to take the expected risks with that data? The risks might include sharing with third parties, risks to data integrity or possible harm to people if something happens to their information.
To answer these questions, the Data Governance Oversight Group finds campus experts and authorities on specific kinds of data. Those experts are not usually involved in the projects, so they can weigh the best interests of the University, people whose data is involved and any ethical considerations right along with operational needs.
This review helps make sure other requirements, like accessibility, are being met. No one can be an expert on everything. This review helps our employees avoid harmful mistakes that could hurt people or hurt the University. Check out Data Governance at UNC for a lot more information on the process.
What information do I need to provide to initiate a risk assessment/data use review?
The University Data Assistance form will ask what’s needed. Please do not put any sensitive information in your request. The more information you can offer up front, the easier it will be. But if you’re not sure, just leave it blank.
How can I help in the risk assessment process?
The Information Security Office partnered with several campus departments to create the Risk Assessment Partnership Program (RAPP). The program was designed to increase the collaboration efforts between the Information Security Office and departments across campus to improve the efficiency of the risk assessment process. If your department is interested in joining RAPP, please have your Information Security Liaison submit a ServiceNow request to ITS Security.
What type of information is needed from the vendor to help complete the risk assessment?
The vendor must supply a third-party risk assessment report such as a SOC2 Type2 or a Higher Education Community Vendor Assessment Toolkit (HECVAT). We may also request vendor policies (i.e., Information Security Policy, Change Control Policy, Acceptable Use Policy, Incident Response Policy) and a data flow and/or network diagram.
A HIPAA (Health Insurance Portability and Accountability) assessment may be required if protected health information (PHI) data is in scope.
Are any additional reviews needed by any other entities/offices other than the Data Governance Oversight Group (DGOG) and the Information Security Office that go along with the risk assessment process?
Possibly. It depends on the data in scope for your request. For example, the Privacy Office may need to get involved in requests involving protected health information (PHI). The CERTIFI committee is required for credit card holder data. The Digital Accessibility Office may be able to help if you run into challenges getting or interpreting the Voluntary Product Accessibility Template (VPAT) or if the product might need and qualify for an accessibility exception for procurement. The University Data Assistance request will be handled by someone you can talk with directly. They can help you identify those other campus resources and connect you.