The Information Security Office (ISO) conducts security reviews of new services or projects that handle High and Moderate Risk Data. Reviews of systems handling Low Risk Data are optional, and ISO may conduct such reviews as necessary.
Initial steps
To initiate the review process, complete the preparation steps listed below:
- Open a HelpSU ticket and select Privacy and Information Security and Privacy and Security Review to initiate the review.
- Identify the point of contact for this review.
- Complete the intake form and ensure the information below is included if applicable:
- Data flow diagram (how the data flows through all system components)
- Architecture diagram showing how firewalls, routers, and other devices are set up
- If a third party is involved (e.g., vendors, service providers), ensure the following information is provided:
- Documentation of whether the vendor has gone through any third party security attestations (SSAE 16; SOC I, II, etc.)
- Business Associate Agreements (BAAs) or other contracts in place between the relevant parties
- Vendor's Security and Software Development Life cycle (SDLC) policies
- Vendor's disaster recovery plans and Vendor's penetration test results
ISO steps
- Review the information provided.
- Contact the requestor and coordinate a meeting with requestor and key stakeholders.
- Depending on the issues identified during this meeting, we might request further information and/or schedule meetings, as needed.
- We will be communicating our initial issues and recommendations to requestor/customer during meetings and providing periodic status updates.
- We will send a draft copy of the report for validation and understanding and allow for an opportunity to provide additional mitigating information if needed.
- Final report will be issued.
