As part of any significant information technology project, it is very important to identify and incorporate information security requirements at the early planning stage. In doing so, the risk of new security and compliance problems being introduced into the University environment is greatly reduced. It also minimizes the risk of project schedule delays and cost overruns when security requirements must be retrofitted into systems and/or contractual agreements late in the process.
The purpose of this questionnaire is to:
- facilitate identification of security requirements for a given information technology project; and
- help minimize risks associated with planned outsourcing of mission critical IT services.
This questionnaire is intended for an information technology project (as defined in the Definitions section) that will:
- involve (e.g., create, obtain, transmit, maintain, use, process, store or dispose) University data classified as Highly Sensitive; or
- acquire ongoing vendor IT services (e.g., application software hosting, hardware/software infrastructure, data storage facilities, staffing, etc.) considered mission critical by the project sponsor.
The questionnaire consists of six sections as follows:
- Identify sensitivity of data the project involves
- Describe plans, if any, for use of vendor IT services.
- Describe planned user access methods.
- Describe planned data input/output processes.
- Describe plans for data storage and destruction.
- Review University Data Protection Standards.