Skip to main content

Cornell University

Technology Risk Assessment

Identify risks from the use of technology

On This Page

Technology Risk Assessments (TRAs) help identify risks from the use of technology that could potentially cause information loss or financial or reputational harm to the university. A TRA helps determine if technology acquisitions comply with federal and state laws and Cornell policy for protecting critical data before they are implemented. The goal is to reduce the overall exposure of the university to technology security risks. The service is provided by Cornell’s IT Security Office (ITSO)

When a TRA Is or Isn’t Required

When confidential or restricted data as defined in Policy 5.10 will be involved (processed, stored, transferred, or communicated) in any way, then a TRA is required per Cornell policy.

Answering the questions on the short TRA request form takes just few minutes and allows the ITSO to help you determine if a TRA is necessary.

The following generally do not require a TRA (unless their use will involve confidential data):

  • Centrally Licensed Software: Software that is available through CU Software Licensing
  • Desktop Productivity Software: Software used on users’ desktops (unless confidential data or restricted data is involved--this may be the case when using desktop database software).
  • Software for Machines: Software used to run scientific instruments or other machines or collect data from those machines (unless combined with restricted data). Answering the questions on the short TRA request form takes just few minutes and allows the ITSO to help you determine if a TRA is necessary.

TRAs are for More Than Just Software

While requesting a TRA prior to purchasing software is important, TRAs can also be requested for implementation of the technology or significant changes such as upgrades to software or significant re-configuration (such as changes in hosting) that could significantly impact the security of the system.

Benefits Received from a TRA

You will receive a TRA Report that will identify any cybersecurity risks identified and if it is compliant with applicable laws, regulation and policy. The document provided contains a list of prioritized risks (if any are discovered) and their impacts, along with suggested actions to mitigate them. This provides a basis for explicit decisions by your unit regarding these risks. Please note, while the ITSO makes a reasonable effort to identify issues, it cannot guarantee that all cybersecurity issues will be discovered during a TRA.

Turnaround Time for a TRA

The time to complete an evaluation ranges from two to four weeks. Several factors can increase the duration, such as TRA workload and the time a vendor takes to respond to the standard security questionnaire. Evaluation activities may include evaluation of the hosting environment and its physical security, software and its implementation, integrations, electronic communication, and vendor security practice.

Risk Assessment and Purchase Considerations

TRAs that result in the decision not to purchase are rare. In such cases, it is because the risks could not be mitigated. In most cases, the risks can be mitigated or are acceptable (see TAME Actions to Address Risks below).

Identified risks generally do not have to be mitigated prior to purchase. You may proceed with purchasing a solution upon the completion of a TRA. It is preferable to mitigate all risks prior to implementation and final rollout. However, other factors often have to be weighed as part of the risk mitigation plan, such as unnecessary delays or other consequences to cost-benefit. Decisions to accept risk (even if temporarily) at deployment time are ideally addressed explicitly in the risk mitigation plan for the software. When an identified risk is mitigated (even after procurement or implementation), please notify the ITSO so that the records can be updated.

Responsibility for Identified Risks

Ultimately, the head of the unit requesting and purchasing the software is accountable for the risks and any associated impacts. Together with the unit security liaison, the unit head should understand the impact and exposure of each risk and decide how to address it (see TAME Actions to Address Risks below). The TRA report provides suggestions for risk mitigation but does not address contingency planning—the proposed response if impacts for a risk are realized. This is the responsibility of the unit that requested the TRA. The ITSO is always available to provide further guidance to address identified risks.

TAME Actions to Address Risks

TAME (Transfer, Accept, Mitigate, Eliminate) is an acronym for the actions that can be taken to address a risk. More than one may apply to any risk.

Action Risk
Transfer Removal of the risk and its potential harms to a third party such as an insurer.
Accept Agree to live with the risk and to develop a contingency plan in case the risk occurs.
Mitigate Develop and execute a plan to reduce the potential impacts or probability for a risk.
Eliminate Remove any probability of exposure to a risk (often by a decision not to implement the technology or aspect of the technology).

Comments?

To share feedback about this page or request support, log in with your NetID

At Cornell we value your privacy. To view
our university's privacy practices, including
information use and third parties, visit University Privacy.