Overview

UCSF is required by a number of policies, laws, and regulations to assess the security risk of information systems that handle UCSF data. 

What is an IT security risk assessment at UCSF?

The IT security risk assessment process collects information about each of our information systems and scores their security compliance. The process measures the security aspects of all computing devices associated with the system including servers, desktop computers and laptops, mobile devices, network hardware, and other related technologies.

The goal of measuring system security is to protect the information. A risk assessment demonstrates how well the protections built into the system design positively support the confidentiality, integrity and availability of its data. 

The questions that make us the risk assessment are answered by assertions, and the UCSF system owner (the UCSF employee who maintains or purchases the system) must understand the system design and use case.  

Risk assessment requirements

To perform a risk assessment, the system owner or a technical delegate must:

• Identify the name of the system. 
• Identify the data classification, which determines the sensitivity of the information being created, stored, transmitted or otherwise processed inside or outside UCSF. Please see the UCSF Data Classification Standard.

Examples of systems that would need risk assessments: a department-managed human research study database, an on-premise clinical care solution, a cloud-hosted student information system, or an enterprise financial system.

Do you need a distributed systems technical risk assessment?

Have you prepared for this type of risk assessment?

• Do you have a completed data flow diagram? This is a document describing the data flow of the system from every asset and endpoint, both internal and external, showing the specific ports and protocols that are to be used (e.g., port 443) to protect the data in transit.  If you need assistance preparing the data flow diagram, please work with the Customer Solutions Management group by submitting an IT Consultation Request at https://ucsf.service-now.com/ess/consulting_planning.do.
• Do you have all management roles of the system identified (e.g., who "owns" the system, who will manage accounts, who will perform patching)?
• Have the security procedures you will use to manage the system been documented?
• Have you worked with UCSF IT to complete a Business Impact Analysis (BIA) for the system? If not, you must initiate a BIA by contacting Bernie Conlu ([email protected]) – this can be done in parallel with the risk assessment. See http://itsm.ucsf.edu/business-impact-analysis-bia-0 for more information.

How to request a security risk assessment

Once (1) the system is in final design, with a data flow diagram that shows what ports are used, and (2) the resource owner and system name are known, use the following link to submit a request for a system security risk assessment: https://ucsf.service-now.com/ess/sec_risk_assessment.do.

What to expect during the risk assessment process

Step 1: Preparation/background questions

The assessor will send the UCSF contact an email outlining the assessment process and requirements. The assessment tool will then send the UCSF contact an invitation to complete the preparation/background questions using the assessment tool web interface.

Step 2: Technical questions

The assessor will send an email to the technical contact identified in the preparation/background questions (this may be a vendor contact or an internal UCSF contact) as notification that they will need to answer the technical assessment questions. The assessment tool will then send the technical contact an invitation to complete the technical assessment questions.

Step 3: Assessment review

The assessor will confirm the responses by manually reviewing the assessment responses, attached documentation, and data flow diagram, to assure that UCSF security compliance requirements are addressed.  Depending on the results, the assessor may need to discuss findings or required remediation actions with the UCSF system owner. 

Step 4: Completion

The assessor will email the system owner with notification that the assessment is complete and include a description of any findings with required and/or recommended remediation actions.

Who is the audience for the information documented by the risk-assessment process?

Depending on the data classification and use case, the audience will vary. The information gathered and documented should be organized and formatted in such a way that someone who has a technical background can understand the various components of the system and its purpose, data flows and life-cycle, the security controls put in place and the management controls for the system. 

In addition to the primary purpose of risk assessment review, the project documentation may be referred to by a wide-ranging audience for tasks such as contractual review, grant review, incident response, board review, third-party review and other security attestation activities. Some of these circumstances are uncommon, but preparation for them supports appropriate diligence and information stewardship in the event a breach or other incident occurs. 

The audience may typically include any or all of the following: University of California entities (e.g., Office of the President, UCSF IT Security, UCSF Audit & Advisory Services, other UC campuses or medical centers), federal and state government entities (e.g., HHS Office for Civil Rights [OCR], National Institutes of Health [NIH], California Department of Public Health [CDPH]), and federal, state, local or UC law enforcement.