Risk Assessment

risk-assessment security-consulting governance third-party first-party tprm third-party-risk-management spsa service-provider-security-assessment hecvat security-screener security-questionnaire asra application-security security-controls controls regulations dua data-use-agreement data-sharing-agreement shared-mailbox service-account iam-onboarding risk-exception exception-request risk-register risk-mitigation risk-management compliance RWA Risk DSA security

What is this Service?

Risk Assessment is a service in IT for everything first-party related through third-party related. It is a process for identifying, analyzing, and prioritizing potential risks and their impact on the organization. This includes discussion on items from pre-procurement of a given solution/service through the end of life for the solution.

Michigan State University (MSU) is committed to providing an accessible, secure, usable, and integrated user experience. When purchasing Information Technology (IT), units should understand the impact these purchases have on individuals with disabilities in and outside the university. These purchases should also align with the MSU Institutional Data Policy and MSU Web Accessibility Policy when relevant. In an effort to improve campus service experiences, MSU Information Technology updated the process to accommodate common low-risk hardware and low-risk security purchases.

Please Note: This is not an approval for purchase. You still must follow your unit's procurement process to obtain approval for purchasing the IT product or solution.

Who Is Eligible to Use It?

GRC’s Risk Assessment service is scoped to assess IT and security risks for the entire organization.

Whether you are considering purchasing a product/service/solution, you’ve already purchased it, learned of new regulations for an existing service, or just have general questions about IT risk management, reach out to us and we’ll setup a consulting call to discuss further.

Definition

First-party would include things such as: Security Control(s) Validation; IAM Onboarding (initial SSO or MFA setup requests); Service Account or Shared Mailbox creation; Requests for access to departed employee/student workstations/OneDrive/Inbox; Application Security Risk Assessments (ASRAs), Environmental Security Risk Assessment (ESRAs), Material Transfer and Confidential Disclosure or Data Use Agreements (DUAs) or Data Sharing Agreements (DSAs), Security Control Exception Requests; Remote Work and/or Travel requests.

Third-party would be related to the IT Purchasing Process which includes IT Readiness questionnaires, Service Provider Security Assessments (SPSAs), contract review, PCI Attestation Of Compliance (AOC) review; HECVAT review.

Information Technology (IT) refers to any equipment or interconnected system or subsystem of equipment that is used in the creation, conversion, or duplication of data or information.

IT includes, but is not limited to:

telecommunications products
information kiosks and transaction machines
Internet and Intranet websites
web-delivered content
software
electronic books and electronic book reading systems
search engines and databases
multimedia
classroom technology
office equipment
computers, laptops, and tablets

Purchasing Information Technology

MSU IT has created an Approved Software List, which allows employees to purchase select software without the submission of an IT Readiness form. The IT Readiness form must be submitted via requisition for the following types of IT purchases:

Hardware
Tier 1 software, if the cost is above the cardholder's single transaction purchase limit or if the software will process or store confidential information
Tier 2 software, if the cost is above the cardholder's single transaction purchase limit or the user type/use case isn't met
Tier 3 software, even if it is free software

Note: Purchases made through the MSU Tech Store do not require an IT Readiness form.

Free Software

When software is available at no cost (i.e., it's free), the download still constitutes a binding contract to the university.

Using the Approved Software List

Free software that is listed on the Approved Software List can be downloaded or requested, dependent on the tier, user type, and use case, as outlined below.

Tier 1: Software that falls under Tier 1 in the Approved Software List, and does not use, process, or store confidential information as defined by the MSU Institutional Data Policy, is allowable to download by any university user regardless of use case without an approved IT Readiness form. It is recommended that the department retain documentation (e.g., a screenshot) that the software was on the Approved Software List Tier 1 at the time of download.
Tier 2: If the user type and/or use case is met, the software can be downloaded without a requisition. Documentation by the department is recommended. If the user type and/or use case is not met, an IT Readiness form must be completed and submitted via a requisition.
Tier 3: In all cases, Tier 3 software requires the completion and submission of an IT Readiness form via requisition.

IT Readiness form

When the IT Readiness form is required, a requisition must be submitted with the completed form prior to download of free software. In the Notes and Attachments section of the requisition, please note that the software is free.

Complete the IT Readiness Form

Service Offerings (1)

IT Readiness Form

The information on this form is required to assess the initial acquisition and/or renewal of any IT-related product or service. After you complete this form, a PDF copy of your responses will be generated and should be attached to your KFS requisition.

Updating...