Skip to content Skip to site navigation Skip to service navigation

How to Request and Complete a Data Risk Assessment (DRA)

The DRA serves to help you and your team collect, store, and use High Risk Data appropriately. The Information Security Office (ISO) and the University Privacy Office (UPO) evaluate projects based on all applicable security and privacy laws and regulations as well as University policy.

The DRA process takes approximately two weeks from the time a complete DRA Intake Form and supporting documents are submitted and assigned to an ISO/UPO resource.

How to complete the Data Risk Assessment prescreening process

In order to streamline the Data Risk Assessment (DRA) process, we have implemented a DRA pre-screening questionnaire. The purpose of the DRA pre-screening questionnaire is to determine if your project needs to go through the DRA process. The DRA pre-screening questionnaire will save you time by allowing you to find out if a DRA is needed, without completing the full DRA Intake Form.

  1. Go to ServiceNow and complete the Data Risk Assessment pre-screening questionnaire.
  2. If the pre-screening questionnaire determines that a DRA is necessary, proceed to step 3, otherwise no further action is needed.

Only if Step 2 above indicates a full DRA intake is required:

  1. Complete the Data Risk Assessment Intake Form.
    • The Data Risk Assessment Intake Form requests information from both your project team and the third party/vendor. Please work with the third party/vendor to complete the Third Party/Vendor Privacy and Security portion of the DRA Intake Form. You will be able to email a link to the form to the third party/vendor directly from REDCap.
  2. After you have completed the DRA Intake Form, gathered the necessary documentation, and submitted your request the information will be sent to the Data Risk Assessment Team.
  3. Your request will be assigned to team members in ISO and UPO. Those individuals will follow up with you directly to discuss the project, additional information needed (if any), and a timeline for completion of the DRA.
  4. Once the DRA is complete, you will receive a final joint report from ISO and UPO. The report will identify the privacy and security risks as well as recommendations for privacy and security safeguards that should be implemented by the project team and/or the third party/vendor to properly protect the data involved.

If you have any questions about the form or process, please contact the Data Risk Assessment Team at dra_review@lists.stanford.edu.

Last modified January 12, 2021