Skip to content Skip to navigation

Data Risk Assessment

Stanford University is committed to providing reliable access to data in support of Stanford University’s educational and research mission. To help Stanford community members ensure that data is maintained and protected to the greatest extent possible, the Data Risk Assessment (DRA) process was formalized to evaluate potential risk. 

The purpose of DRA is to:

  • evaluate projects with Moderate and High Risk data, including collaborations with outside parties and research studies that involve sophisticated technological platforms;
  • ensure that appropriate safeguards are in place to protect the confidentiality, integrity, and availability of Stanford information assets; and
  • identify gaps in the existing or proposed information security control environment of a given research project.

The value of the DRA process is that it offers Stanford community members a consolidated and streamlined risk assessment approach, whereby representatives of the Stanford Information Security Office (ISO), University Privacy Office, and Office of the General Counsel (OGC), can evaluate security, privacy, and legal risks, as applicable.

The following sections below provide more detailed information of the DRA process steps, including expected deliverables.

When a review is needed: Prior to the implementation of new services or projects that handle Moderate and High Risk data, including changes to the way existing services handle such data
Deliverables: A report with the recommendations required to produce an acceptable level of residual risk
Timeframe: Four weeks assuming information is provided in a timely fashion
Progress updates: Weekly and as needed
# Responsible party Process step
1 Requester
  • Submit HelpSU ticket to request resources.
  • Download and complete DRA intake form.
  • Submit this intake form and other supporting information via email by replying to HelpSU ticket.
2 DRA team
  • Review submitted information and request additional information, as needed.
  • Prepare and issue report to requester and other designated recipients.
3 Requester
  • Implement recommendations.
  • Consult with DRA team if additional assistance is needed.
Last modified September 8, 2016