Risk Assessment

What is this Service?

Risk Assessment is a service that applies to all types of technology from first-party related through third-party related. It is a process for identifying, analyzing, and prioritizing potential risks and their impact on the organization. This includes discussion on items from pre-procurement of a given solution/service through the end of life for the solution.

Service Offerings Available by Request:

  • GRC Consultation
    Whether you're considering purchasing a product/service/solution, you’ve already purchased it, learned of new regulations for an existing service, or just have general questions about IT risk management, request a Security Consultation with the Governance, Risk, and Compliance (GRC) team to discuss.
  • Application Security Risk Assessment (ASRA)
    Michigan State University (MSU) requires an Application Security Risk Assessment (ASRA) as part of the implementation of products or services. The ASRA determines what controls must be implemented based on the classification of the data.
  • Data Use Agreement (DUA)
    Governance, Risk and Compliance (GRC) reviews DUAs for security Terms and Conditions. GRC partners with Cyber-Research Infrastructure (RCI) to interview the Principal Investigator to discover how the data in the DUA will be stored, processed, or transmitted.
  • Export Control Open Review Worksheet (ECORRW)
    Governance, Risk and Compliance (GRC) reviews ECORRWs for Security Terms and Conditions. GRC partners with Cyber-Research Infrastructure (RCI) to interview the Principal Investigator to discover how the data in the ECORRW will be stored, processed, or transmitted. Changes to current security practices may be required to meet the conditions of the agreement.
  • IT Readiness Form
    The information on this form is required to assess the initial acquisition and/or renewal of any IT-related product or service. After you complete this form, a PDF copy of your responses will be generated and should be attached to your KFS requisition.
  • Pre-Award Institutional Proposal (IP) and Proposal Development (PD)
    Governance, Risk and Compliance (GRC) reviews Pre-Award IPs or PDs for security Terms and Conditions. GRC partners with Cyber-Research Infrastructure (RCI) to interview the Principal Investigator to discover how the data in the IP or PD will be stored, processed, or transmitted.
  • Security Exception Request
    A Security Exception Request can only be filed based on the results of a ticket documenting the results of your GRC Consultation or Risk Assessment. An exception may be considered when a system cannot apply the control(s) as required, due to legitimate technical or documented business constraints.
  • Service Provider Security Assessment (SPSA)
    Michigan State University (MSU) requires a Service Provider Risk Assessment as part of the purchase of products or services. MSU is committed to engaging with suppliers that have the capability of providing an accessible, secure, usable, and integrated user experience.

Who Is Eligible to Use It?

Risk Assessment is a service scoped to assess Information Technology (IT) and security risks for the entire university.

Whether you are considering purchasing a product/service/solution, you’ve already purchased it, learned of new regulations for an existing service, or just have general questions about IT risk management, request a Security Consultation with the Governance, Risk, and Compliance (GRC) team to discuss it further.

Definitions

First-party technology refers to tools or systems that collect and manage data directly from a company's own customers through its owned platforms, such as websites, mobile apps, and CRM systems. This can includes:

  • Security Control(s) Validation
  • IAM Onboarding (initial SSO or MFA setup requests)
  • Service Account or Shared Mailbox creation
  • Requests for access to departed employee/student workstations/OneDrive/Inbox
  • Application Security Risk Assessments (ASRAs)
  • Environmental Security Risk Assessment (ESRAs)
  • Material Transfer and Confidential Disclosure
  • Data Use Agreements (DUAs)
  • Data Sharing Agreements (DSAs)
  • Security Control Exception Requests
  • Remote Work and/or Travel Requests

Third-party technology refers to any software, hardware, or service created by a company or individual not directly affiliated with the primary organization that provides the main platform or system. Third-party risk assessment needs would be related to the IT Purchasing Process, including:

  • IT Readiness Forms and Submissions
  • Service Provider Security Assessments (SPSAs)
  • Contract Review
  • PCI Attestation of Compliance (AOC) Review
  • Higher Education Community Vendor Assessment Toolkit (HECVAT) Review

Information Technology (IT) refers to any equipment or interconnected system or subsystem of equipment that is used in the creation, conversion, or duplication of data or information. This includes, but is not limited to:

  • telecommunications products
  • information kiosks and transaction machines
  • Internet and Intranet websites
  • web-delivered content
  • software
  • electronic books and electronic book reading systems
  • search engines and databases
  • multimedia
  • classroom technology
  • office equipment
  • computers, laptops, and tablets

 
Request GRC Consultation Complete the IT Readiness Form Complete Security Exception Request Form

Related Articles (1)

IT Readiness Form - Frequently Asked Questions (FAQ) about the IT Readiness Form
Frequently asked questions (and their answers) about the IT Readiness Form

Service Offerings (8)

GRC Consultation
Whether you're considering purchasing a product/service/solution, you’ve already purchased it, learned of new regulations for an existing service, or just have general questions about IT risk management, request a Security Consultation with the Governance, Risk, and Compliance (GRC) team to discuss.
Application Security Risk Assessment (ASRA)
Michigan State University (MSU) requires an Application Security Risk Assessment (ASRA) as part of the implementation of products or services. The ASRA determines what controls must be implemented based on the classification of the data.
Data Use Agreement (DUA)
Governance, Risk and Compliance (GRC) reviews DUAs for security Terms and Conditions. GRC partners with Cyber-Research Infrastructure (RCI) to interview the Principal Investigator to discover how the data in the DUA will be stored, processed, or transmitted.
Export Control Open Review Worksheet (ECORRW)
Governance, Risk and Compliance (GRC) reviews ECORRWs for Security Terms and Conditions. GRC partners with Cyber-Research Infrastructure (RCI) to interview the Principal Investigator to discover how the data in the ECORRW will be stored, processed, or transmitted.
IT Readiness Form
The information on this form is required to assess the initial acquisition and/or renewal of any IT-related product or service. After you complete this form, a PDF copy of your responses will be generated and should be attached to your KFS requisition.
Pre-Award Institutional Proposal (IP) and Proposal Development (PD)
Governance, Risk and Compliance (GRC) reviews Pre-Award IPs or PDs for security Terms and Conditions. GRC partners with Cyber-Research Infrastructure (RCI) to interview the Principal Investigator to discover how the data in the IP or PD will be stored, processed, or transmitted.
Security Exception Request
A Security Exception Request can only be filed based on the results of a ticket documenting the results of your GRC Consultation or Risk Assessment. An  exception may be considered when a system cannot apply the control(s) as required, due to legitimate technical or documented business constraints.
Service Provider Security Assessment (SPSA)
Michigan State University (MSU) requires a Service Provider Risk Assessment as part of the purchase of products or services. MSU is committed to engaging with suppliers that have the capability of providing an accessible, secure, usable, and integrated user experience.