IT Services employs a Security Assessment Process for new technologies based on leading risk management practices for the identification, evaluation, acceptance, and reporting of risks to enable risk-informed decision-making. The objective of the Security Assessment Process is to protect Queen’s data and systems by ensuring that proper security controls are in place to mitigate the risks to Queen’s University and ensuring that potential exposures are managed within Queen’s University’s risk tolerance.
For more information, participants can visit:
- An overview of the Security Assessment Process
- A Cheat Sheet of tips and tricks for completing the process
- The Security Assessment SharePoint website
Vendor Risk Management Module
The initiation, completion, and management of security assessments are conducted using the Vendor Risk Management module accessed via Service Now. This module includes:
- Improved line of sight: Ensuring that the appropriate individuals are aware of the technology-related risks associated with new technologies and services, and are aligned on appropriate mitigation plans, enables risk-informed decision making.
- Reduced delays: Bottlenecks will be alleviated through automation and shared accountability for the process among faculties and departments.
- Consistency: Following the revised process will ensure a consistent and repeatable application of security and privacy controls when units are adopting new technologies
Technology security assessments important because electronic information and systems are central to Queen’s University’s mission and user experience. However, information and systems are susceptible to cyber-threats. As such, information and systems should be regularly assessed for risks, to consider the adequacy of safeguards and ensure appropriate mitigation strategies. These activities include assessments of products and services, be they from third party acquisition or developed in house.
There are four key roles in the Security Assessment Process:
VPs, Deans, or their delegates are accountable for the risks associated with the technology in use within their units and, as such, are responsible to ensure those risks are commensurate with Queen’s acceptable risk appetite.
ISO, CPO, Legal Counsel are responsible for providing expert guidance to Risk Assessors and Risk Owners throughout the Security Assessment Process.
Departmental IT heads, business officers are responsible for conducting security risk assessments, and for managing day-to-day technology-related risks.
Business Owners are deemed as subject matter experts on the technology being assessed and as such, are responsible for completing questionnaires in the Security Assessment Process.
Staff and faculty with responsibility for:
- Information, systems, security, privacy, or strategic risk;
- Assessing or evaluating technology to manage risks to information and technical assets;
- Purchasing or acquiring third-party technology on behalf of the University and for use by the University; or
- Other similar responsibilities.
Credentialed Vendors are able to access the module on the Vendor Assessment Portal.
The Standard Assessment Process steps can be found at Stand Operating Procedure (SOP).
Step-by-step instructions for each role and corresponding Quick-Reference Guide (QRG) are available below:
Risk Owner: Risk Owner QRG
Risk Evaluator: Risk Evaluator QRG
Risk Assessor: Risk Assessor QRG
Business Owner: Business Owner QRG