Technology Risk Assessment
Technology Risk Assessments (TRAs) help identify risks from the use of technology that could potentially cause information loss or financial or reputational harm to the university. A TRA helps determine if technology acquisitions comply with federal and state laws and Cornell policy for protecting critical data before they are implemented. The goal is to reduce the overall exposure of the university to technology security risks. The service is provided by Cornell’s IT Security Office (ITSO).
When a TRA Is or Isn't Required
Answering the questions on the short TRA request form takes just few minutes and allows the ITSO to help you determine if a TRA is necessary.
The following generally do not require a TRA (unless their use will involve confidential data):
Centrally Licensed Software: Software that is available through CU Software Licensing
Licensed Software for Faculty and Staff
Licensed Software for Students
- Desktop Productivity Software: Software used on user’s desktops (unless confidential data or restricted data is involved--this may be the case when using desktop database software).
- Software for Machines: Software used to run scientific instruments or other machines or collect data from those machines (unless combined with restricted data). Answering the questions on the short TRA request form takes just few minutes and allows the ITSO to help you determine if a TRA is necessary.
TRAs are for More Than Just Software
While requesting a TRA prior to purchasing software is important, TRAs can also be requested for implementation of the technology or significant changes such as upgrades to software or significant re-configuration (such as changes in hosting) that could significantly impact the security of the system.
Benefits Received from a TRA
You will receive a TRA Report that will identify any cybersecurity risks identified and if it is compliant with applicable laws, regulation and policy. The document provided contains a list of prioritized risks (if any are discovered) and their impacts along with suggested actions to mitigate them. This provides a basis for explicit decisions by your unit regarding these risks. Please note, while the ITSO makes a reasonable effort to identify issues, it cannot guarantee that all cybersecurity issues will be discovered during a TRA.
Turnaround Time for a TRA
The time to complete an evaluation ranges from two to four weeks. Several factors can increase the duration such as TRA work load and the time a vendor takes to respond to the standard security questionnaire. Evaluation activities may include evaluation of the hosting environment and its physical security, software and its implementation, integrations, electronic communication and vendor security practice.
Risk Assessment and Purchase Considerations
TRAs that result in the decision not to purchase are rare. In such cases, it is because the risks could not be mitigated. In most cases, the risks can be mitigated or are acceptable (see "TAME Actions to Address Risks," below).
Identified risks generally do not have to be mitigated prior to purchase. You may proceed with purchasing a solution upon the completion of a TRA. It is preferable to mitigate all risks prior to implementation and final rollout. However, other factors often have to be weighed as part of the risk mitigation plan, such as unnecessary delays or other consequences to cost-benefit. Decisions to accept risk (even if temporarily) at deployment time are ideally addressed explicitly in the risk mitigation plan for the software. When an identified risk is mitigated (even after procurement or implementation), please notify the ITSO so that the records can be updated.
Responsibility for Identified Risks
Ultimately, the head of the unit requesting and purchasing the software is accountable for the risks and any associated impacts. Together with the unit security liaison, the unit head should understand the impact and exposure of each risk and decide how to address it (see "TAME Actions to Address Risks," below). The TRA report provides suggestions for risk mitigation but does not address contingency planning—the proposed response if impacts for a risk are realized—this is the responsibility of the unit that requested the TRA. The ITSO is always available to provide further guidance to address identified risks.
TAME Actions to Address Risks
TAME is an acronym for the actions that can be taken to address a risk (more than one may apply to any risk—Transfer, Accept, Mitigate, Eliminate).
|Transfer||Removal of the risk and its potential harms to a third party such as an insurer.|
|Accept||Agree to live with the risk and to develop a contingency plan in case the risk occurs.|
|Mitigate||Develop and execute a plan to reduce the potential impacts or probability for a risk.|
|Eliminate||Remove any probability of exposure to a risk (often by a decision not to implement the technology or aspect of the technology).|