Information Technology Services
Information Technology Services

Security Assessment Process

IT Services has introduced a revised Security Assessment Process for new technologies. It is based on leading risk management practices for the identification, evaluation, acceptance, and reporting of risks, to enable risk-informed decision making.  

The objective of the Security Assessment Process is to protect Queen’s data and systems. It ensures proper security controls are in place to mitigate the risks to Queen’s University and ensure potential exposures are managed within Queen’s University’s risk appetite. 

The Security Assessment Process is an enhanced process designed to improve upon the former Authority to Operate (AtO) process that Queen’s used to assess privacy and security risks when adopting cloud applications. 

Moving forward, security assessment initiation, completion, and management will be conducted using the ServiceNow Vendor Risk Management (VRM) module. This process provides: 

  • Improved line of sight: Ensuring the right individuals are aware of the technology-related risks associated with new technologies and services, and are aligned on appropriate mitigation plans, enables risk-informed decision making. 

  • Reduced delays: Bottlenecks will be alleviated through automation and shared accountability for the process among faculties and departments. 

  • Consistency: Following the revised process will ensure a consistent and repeatable application of security and privacy controls when units are adopting new technologies and

What are the components of the process?

There are four key roles in the Security Assessment Process:

  • Risk Owners (VPs, Deans, or their delegates) are accountable for the risks associated with the technology in use within their units and, as such, are responsible to ensure those risks are commensurate with Queen’s acceptable risk appetite. 

  • Risk Evaluators (e.g., ISO, CPO, Legal Counsel) are responsible for providing expert guidance to Risk Assessors and Risk Owners throughout the Security Assessment Process. 

  • Risk Assessors (e.g., departmental IT heads, business officers) are responsible for conducting security risk assessments, and for managing day-to-day technology-related risks. 

  • Business Owners are deemed as subject matter experts on the technology being assessed and as such, are responsible for completing questionnaires in the Security Assessment Process. 

Why are technology security assessments important? 

Electronic information and systems are central to Queen’s University’s mission and user experience. However, information and systems are susceptible to cyber-threats. As such, information and systems should be regularly assessed for risks, to consider the adequacy of safeguards and ensure appropriate mitigation strategies. These activities include assessments of products and services, be they from third party acquisition or developed in house. 

Getting Started

How do I access ServiceNow? 

To access ServiceNow, you will need a Queen’s NetID. Credentialed Vendors are able to access the module on the Vendor Assessment Portal

Additional information, including step-by-step instructions for each role, is available using the table below (note that you will be required to authenticate with your NetID and password):

Role Standard Operating Procedures (SOP) Quick-Reference Guide (QRG)
Risk Owner Standard Operating Procedures Risk Owner QRG
Risk Evaluator Standard Operating Procedures Risk Evaluator QRG
Risk Assessor Standard Operating Procedures Risk Assessor QRG
Business Owner Standard Operating Procedures Business Owner QRG

You can also view an overview of the Security Assessment Process as well as a Cheat Sheet for tips and tricks. The Security Assessment Sharepoint site also contains information that you may find helpful.