Skip to main content

Cornell University

IT Governance, Risk, and Compliance Consultation

On This Page

If you are purchasing new software, review this page and submit your request through the Technology Risk Assessment Form.

Network and system administrators can request information security assessments of their networks, systems, programs, and labs through the IT Security Office (ITSO). These assessments will analyze what vulnerabilities might exist that could threaten the confidentiality, integrity, and availability of data and IT resources, and offer suggestions for mitigating those risks.

IT Risk Assessment and Compliance Advising

IT Risk Assessment and Compliance Advising reviews a number of aspects of products and services. These aspects include:

  • Access: How users' access is managed.
  • Audit and governance: How vulnerability assessments and audits are managed.
  • Backup and recovery of data: Practices surrounding data backup and storage.
  • Change control procedures: Practices surrounding change management.
  • Compliance: Determining the appropriateness for use with various regulated data regimes.
  • Control of services: How much control the customer has over the functionality of the service or product.
  • Cross-border protection: Data residency issues.
  • Data breaches: Policy and procedures regarding data breaches or other data compromises.
  • Data ownership: Procedures for data labeling, processing, control, and segregation.
  • Data privacy: Policy and procedures to maintain an appropriate level of privacy for customer data.
  • Data protection: What steps are taken to protect customer data from risks to confidentiality, integrity, and availability.
  • Customer agreements: What legal or contractual conditions exist.
  • Service level agreements: What Service level agreements (SLAs) exist and how those service levels are reviewed.

When to Contact

When investigating the purchase of a new product or service, especially ones that may handle any regulated data types, you should engage the ITSO as early in the process as possible. Ideally, the ITSO should be contacted at least four weeks before a purchasing decision must be made.

How to Start an Assessment

Email the IT Security Office. Include the contact information for the requester as well as contact information for the vendor when available. Indicate the timeline for the purchase decision and include any available documentation relating to the product or service to be assessed.

When software needs to be assessed, after reviewing this page, submit your request through the Technology Risk Assessment Form.

Process and Expectations

The ITSO will work with the customer and the vendor to gather any information relevant to the assessment. The process begins with the vendor completing a questionnaire that covers the general topics listed above. Once that questionnaire is completed, the responses are used to generate additional questions and requests for clarifications by the ITSO. The ITSO and the vendor will then have conversations to address these issues, usually done via email and telephone.

Once all this information has been collected and reviewed, the ITSO will produce a report to share with the customer. This report will include a description of the product or service being reviewed, a list of risks, and suggestions for mitigating those risks.

Timeframe for an Assessment

The assessment process can vary based on a number of factors, including complexity of the technical or legal environment, responsiveness of the vendor, and the ITSO schedule. Typically, the goal is to try to complete assessments within a few weeks of the initial engagement.


To share feedback about this page or request support, log in with your NetID

At Cornell we value your privacy. To view
our university's privacy practices, including
information use and third parties, visit University Privacy.