Technology Formal Risk Assessment

In order to enhance the data risk management practices and meet regulatory expectations, VCU requires a formal risk assessment for IT projects and services that are designed to handle confidential and regulated (Category I) University information. Through a collaborative effort among Procurement Services, the Information Security Office, and the Controller's Office, VCU has defined a set of processes for determining the applicability of the risk assessment for a new IT purchase request, as well as, a process for annual review of existing in scope projects and services.

Please use the following questions to determine whether something is an "in-scope" IT purchase:

  1. Is this request for the procurement of a service or a product designed to collect, process, transmit, store, or otherwise handle University information?

    Examples include:

    • A computer server designed to provide file storage for a department
    • An application used to track performance and risk metrics in a department
    • An online survey application used to collect data on behalf of the University
    • A third party service used to assist with the processing of information collected by VCU
  2. If you answered "yes" to the question 1, then will the product or service provider create, access, process, or manage University information on behalf of VCU?

    Examples include:

    • A third party website that allows students to submit school application
    • An online survey tool designed to help the data collection for a University project
    • A third party data storage tool designed to provide storage space for University data
    • An online learning management system designed to provide training and progress tracking for students and / or employees
    • A third party data processing company used to normalize University data collected by a department
  3. If you answered "yes" to 1 and 2, then the purchase qualifies as a third party IT purchase, and the IT Governance Data Classification form must be completed to initiate a risk assessment process.

Edit | Last updated: 08/01/2017