Understanding Data Risk Assessments
As the volume of Stanford data continues to grow exponentially, so do the risks associated with storage, processing, and management. To safeguard sensitive information, the university Information Security Office (ISO) and University Privacy Office (UPO) conduct data risk assessments or DRAs.
A DRA is a review of whether a proposed transfer of High Risk data to a third-party vendor is consistent with Stanford’s Minimum Security Standards and Minimum Privacy Standards. In other words, before sending or receiving High Risk data to or from a non-Stanford partner, how the data is transferred and used must be evaluated to understand the extent of risk to the university.
How the DRA process works
At Stanford, the DRA process has five parts. After the DRA intake form and all supporting documents are submitted, the process typically takes four to six weeks.