How to Request and Complete a Data Risk Assessment

In order to streamline the Data Risk Assessment (DRA) process, we have implemented a DRA pre-screening questionnaire. The purpose of DRA pre-screening questionnaire is to determine if your project needs to go through the DRA process. The DRA pre-screening questionnaire will save you time by allowing you to find out if a DRA is needed, without starting a ServiceNow request and completing a DRA Intake Form. If your project requires a DRA, please follow the instructions below.

The Data Risk Assessment process

The DRA process was established to ensure that the appropriate safeguards are in place to protect the confidentiality, integrity, and availability of Stanford systems and data, including data that are entrusted to Stanford.

The DRA serves to help you and your team collect, store, and use Moderate and High Risk Data appropriately. The Information Security Office (ISO) and the University Privacy Office evaluate projects based on all applicable security and privacy laws and regulations as well as University policy.

The DRA process takes four weeks from the time a ServiceNow request is assigned to an ISO/Privacy resource and information in section 2(b) is provided in a timely manner.

How to complete a Data Risk Assessment

1. Go to ServiceNow and complete the Data Risk Assessment pre-screening questionnaire.
2. If the pre-screening questionnaire determines that a DRA is necessary, you will need to complete the Data Risk Assessment Intake Form.
   • The Data Risk Assessment Intake Form requests information from both your project team and the vendor/collaborator. Please work with the vendor/collaborator to complete section C of the DRA Intake Form.
   • While completing the DRA Intake Form, begin gathering the necessary documentation that will be needed for the DRA. Examples of documentation that may be needed depending on your project are:
     • SSAE 16
       • SOC-2 Type-2 report
       • A bridge letter if the SOC-2 Type-2 report is in between evaluation periods
     • PCI-DSS attestation of compliance (AoC)
     • HIPAA/HITECH AoC
     • HIPAA Security Rule risk assessment
     • ISO/IEC 27001 series certification
     • Vulnerability scan results
     • Penetration testing results
     • Business Associate Agreement (BAA)
     • Architecture and data flow diagrams
   • Below are examples of completed Data Risk Assessment Intake Forms for you to download and review:
     • Research PHI (High risk data)
     • PCI-DSS (High risk data)
     • General Moderate risk

     Note: If privacy and security attestations/audits are unavailable, the vendor will be asked to provide privacy and security policies and procedures and may be asked to complete the ISO Security questionnaire.

3. After you have completed the DRA Intake Form and gathered the necessary documentation, please update your existing ServiceNow ticket by attaching the DRA Intake Form and any other documentation.
4. After submitting the DRA Intake Form, your request will be assigned to team members in ISO and the University Privacy Office. Those individuals will follow up with you directly to discuss the project, additional information needed (if any), and a timeline for completion of the DRA.
5. Once the DRA is complete, you will receive a final joint report from ISO and the University Privacy Office. The report will identify the privacy and security risks as well as recommendations for privacy and security safeguards that should be implemented by the project team and/or the vendor to properly protect the data involved.
   • The final report is confidential; please do not share the full report with the vendor.
   • The recommendations that are the responsibility of the vendor can be shared with the vendor and should be included in the contract.