Network and system administrators can request information security assessments of their networks, systems, programs, and labs through the IT Security Office. These assessments will analyze what vulnerabilities might exist that threaten the confidentiality, integrity, and availability of data and IT resources and offer suggestions for mitigating those risks.

IT Risk Assessment and Compliance Advising

IT Risk Assessment and Compliance Advising reviews a number of aspects of products and services. These aspects include:

• Access: How users' access is managed.
• Audit and Governance: How vulnerability assessments and audits are managed.
• Backup and Recovery of Data: Practices surrounding data backup and storage.
• Change Control Procedures: Practices surrounding change management.
• Compliance: Determining the appropriateness for use with various regulated data regimes.
• Control of Services: How much control the customer has over the functionality of the service or product.
• Cross-Border Protection: Data residency issues.
• Data Breaches: Policy and procedures regarding data breaches or other data compromises.
• Data Ownership: Procedures for data labeling, processing, control, and segregation.
• Data Privacy: Policy and procedures to maintain an appropriate level of privacy for customer data.
• Data Protection: What steps are taken to protect customer data from risks to confidentiality, integrity, and availability.
• Customer Agreements: What legal or contractual conditions exist.
• Service Level Agreements: What SLAs exist and how those service levels are reviewed.

When to Contact

When investigating the purchase of a new product or service, especially ones that may handle any regulated data types, you should engage the ITSO as early in the process as possible. Ideally, the ITSO should be contacted at least four weeks before a purchasing decision must be made.

If you are looking into purchasing new software, then please review the Technical Risk Assessment page and submit your TRA request through the provided form.

How to Start an Assessment

Send a message to the ITSO at security-services@cornell.edu. You should include the contact information for the requester as well as any contact information for the vendor. You should also indicate the timeline for the purchase decision and send along any documentation you may have regarding the product or service to be assessed.

**Again, please note if you have software that you need assessed, submit a TRA after reviewing the Technical Risk Assessment page.**

Process and Expectations

The ITSO will work with the customer and the vendor to gather any information relevant to the assessment. The process begins with the vendor completing a questionnaire that covers the general topics listed above. Once that questionnaire is completed, the responses are used to generate additional questions and requests for clarifications by the ITSO. The ITSO and the vendor will then have conversations to address these issues, usually done via email and telephone.

Once all this information has been collected and reviewed, the ITSO will produce a report to share with the customer. This report will include a description of the product or service being reviewed, a list of risks, and a list of suggested ways to mitigate those risks.

Timeframe for an Assessment

The length of the assessment process varies based on a number of factors, including complexity of the technical or legal environment, responsiveness of the vendor, and the ITSO schedule. We typically attempt to complete assessments within a few weeks of the initial engagement.