Stanford University is committed to providing reliable access to data in support of Stanford University’s educational and research mission. To help Stanford community members ensure that data is maintained and protected to the greatest extent possible, the Data Risk Assessment (DRA) process was formalized to evaluate potential risk.
The purpose of DRA is to:
- evaluate projects with Moderate or High Risk Data, including collaborations with outside parties and research studies that involve sophisticated technological platforms;
- ensure that appropriate safeguards are in place to protect the confidentiality, integrity, and availability of Stanford information assets; and
- identify gaps in the existing or proposed information security control environment of a given research project.
The value of the DRA process is that it offers Stanford community members a consolidated and streamlined risk assessment approach, whereby representatives of the Stanford Information Security Office (ISO), University Privacy Office, and Office of the General Counsel (OGC), can evaluate security, privacy, and legal risks, as applicable.
To help expedite DRA process, a third party or vendor should provide current compliance documentation to ISO and Privacy, such as:
- SSAE 16
- SOC-2 Type-2 report
- PCI-DSS attestation of compliance (AoC)
- HIPAA/HITECH AoC
- ISO/IEC 27000 series
- Vulnerability scan results
- Penetration testing results
- Business Associate Agreement (BAA)
- Architecture and data flow diagrams
In the absence of compliance documentation, third party or vendor will be required to fill out the ISO security questionnaire.
The following sections provide more detailed information on the DRA process, including expected deliverables.
|When a review is needed:||Prior to the implementation of new services or projects that handle Moderate or High Risk Data, including changes to the way existing services handle such data|
|Deliverables:||A report with the recommendations required to produce an acceptable level of residual risk|
|Timeframe:||Four weeks from the time a ServiceNow ticket is assigned to an ISO resource, assuming information is provided in a timely fashion|
|Progress updates:||Weekly, and as needed|
|#||Responsible party||Process step|