Skip to content Skip to site navigation Skip to service navigation

How to Request and Complete a Data Risk Assessment

In order to streamline the Data Risk Assessment (DRA) process, we have implemented a DRA pre-screening questionnaire. The purpose of DRA pre-screening questionnaire is to determine if your project needs to go through the DRA process. The DRA pre-screening questionnaire will save you time by allowing you to find out if a DRA is needed, without completing a DRA Intake Form. If your project requires a DRA, please follow the instructions below.

The Data Risk Assessment process

The DRA process was established to ensure that the appropriate safeguards are in place to protect the confidentiality, integrity, and availability of Stanford systems and data, including data that are entrusted to Stanford.

The DRA serves to help you and your team collect, store, and use High Risk Data appropriately. The Information Security Office (ISO) and the University Privacy Office (UPO) evaluate projects based on all applicable security and privacy laws and regulations as well as University policy.

The DRA process takes approximately four weeks from the time a complete DRA Intake Form and supporting documents are submitted and assigned to an ISO/UPO resource.

How to complete a Data Risk Assessment

  1. Go to ServiceNow and complete the Data Risk Assessment pre-screening questionnaire.
  2. If the pre-screening questionnaire determines that a DRA is necessary, you will need to complete the Data Risk Assessment Intake Form.
    • The Data Risk Assessment Intake Form requests information from both your project team and the third party/vendor. Please work with the third party/vendor to complete the Third Party/Vendor Privacy and Security portion of the DRA Intake Form. You will be able to email a link to the form to the third party/vendor directly from REDCap.
  3. After you have completed the DRA Intake Form, gathered the necessary documentation, and submitted your request the information will be sent to the Data Risk Assessment Team.
  4. Your request will be assigned to team members in ISO and UPO. Those individuals will follow up with you directly to discuss the project, additional information needed (if any), and a timeline for completion of the DRA.
  5. Once the DRA is complete, you will receive a final joint report from ISO and UPO. The report will identify the privacy and security risks as well as recommendations for privacy and security safeguards that should be implemented by the project team and/or the third party/vendor to properly protect the data involved.

If you have any questions about the form or process, please contact the Data Risk Assessment Team at dra_review@lists.stanford.edu.

Last modified October 27, 2017