Stanford University is committed to providing reliable access to data in support of Stanford University’s educational and research mission. To help Stanford community members ensure that data is maintained and protected to the greatest extent possible, the Data Risk Assessment (DRA) process was formalized to evaluate potential risk.
The purpose of DRA is to:
- evaluate projects with Moderate and High Risk data, including collaborations with outside parties and research studies that involve sophisticated technological platforms;
- ensure that appropriate safeguards are in place to protect the confidentiality, integrity, and availability of Stanford information assets; and
- identify gaps in the existing or proposed information security control environment of a given research project.
The value of the DRA process is that it offers Stanford community members a consolidated and streamlined risk assessment approach, whereby representatives of the Stanford Information Security Office (ISO), University Privacy Office, and Office of the General Counsel (OGC), can evaluate security, privacy, and legal risks, as applicable.
The following sections below provide more detailed information of the DRA process steps, including expected deliverables.
| When a review is needed: | Prior to the implementation of new services or projects that handle Moderate and High Risk data, including changes to the way existing services handle such data | |
| Deliverables: | A report with the recommendations required to produce an acceptable level of residual risk | |
| Timeframe: | Four weeks assuming information is provided in a timely fashion | |
| Progress updates: | Weekly and as needed | |
| # | Responsible party | Process step |
|---|---|---|
| 1 | Requester |
|
| 2 | DRA team |
|
| 3 | Requester |
|
