Security Assessment Process

Security Assessment Process

IT Services employs a Security Assessment Process for new technologies based on leading risk management practices for the identification, evaluation, acceptance, and reporting of risks to enable risk-informed decision-making. The objective of the Security Assessment Process is to protect Queen’s data and systems by ensuring that proper security controls are in place to mitigate the risks to Queen’s University and ensuring that potential exposures are managed within Queen’s University’s risk tolerance.

For more information, participants can visit:

 

 Vendor Risk Management Module

The initiation, completion, and management of security assessments are conducted using the Vendor Risk Management module accessed via Service Now. This module includes:

  • Improved line of sight: Ensuring that the appropriate individuals are aware of the technology-related risks associated with new technologies and services, and are aligned on appropriate mitigation plans, enables risk-informed decision making.
  • Reduced delays: Bottlenecks will be alleviated through automation and shared accountability for the process among faculties and departments.
  • Consistency: Following the revised process will ensure a consistent and repeatable application of security and privacy controls when units are adopting new technologies

Technology security assessments important because electronic information and systems are central to Queen’s University’s mission and user experience. However, information and systems are susceptible to cyber-threats. As such, information and systems should be regularly assessed for risks, to consider the adequacy of safeguards and ensure appropriate mitigation strategies. These activities include assessments of products and services, be they from third party acquisition or developed in house.

There are four key roles in the Security Assessment Process:

VPs, Deans, or their delegates are accountable for the risks associated with the technology in use within their units and, as such, are responsible to ensure those risks are commensurate with Queen’s acceptable risk appetite.

ISO, CPO, Legal Counsel are responsible for providing expert guidance to Risk Assessors and Risk Owners throughout the Security Assessment Process.

Departmental IT heads, business officers are responsible for conducting security risk assessments, and for managing day-to-day technology-related risks.

Business Ownersare deemed as subject matter experts on the technology being assessed and as such, are responsible for completing questionnaires in the Security Assessment Process. 

Eligibility 

Staff and faculty with responsibility for:

  • Information, systems, security, privacy, or strategic risk;
  • Assessing or evaluating technology to manage risks to information and technical assets;
  • Purchasing or acquiring third-party technology on behalf of the University and for use by the University; or
  • Other similar responsibilities.

Getting Started

Users will follow the appropriate SOP found in the table below to create a new assessment. To access ServiceNow, users will need an active Queen’s NetID. 

Credentialed Vendors are able to access the module on the Vendor Assessment Portal.

The Standard Assessment Process steps can be found at Stand Operating Procedure (SOP).

 

Step-by-step instructions for each role and corresponding Quick-Reference Guide (QRG) are available below:

Risk Owner: Risk Owner QRG  

Risk Evaluator: Risk Evaluator QRG

Risk Assessor: Risk Assessor QRG

Business Owner: Business Owner QRG