What is a Security or Standards Review?
Security reviews are a necessary collaborative process to attempt to quantify risks associated with an IT related service or application. It ensures that necessary controls are integrated into the design and implementation of these kinds of services at Rice. The Information Security Office regularly performs thorough, standards-based reviews that can help provide departments more visibility into areas of concern that may not be obvious or otherwise addressed from conversations with potential service providers. For example, our review process can help identify poor or missing vendor security practices. We can evaluate terms and conditions for a planned service or identify missing contract terms required for the kinds of data to be used. We are also able to identify and help draft departmental data handling procedures.
Sometimes we receive multiple requests at the same time. If you are implementing a solution that will contain sensitive or regulatory data e.g. FISMA, HIPAA, PCI data, please contact the ISO as early as possible in the project or initiative so that ample time is allowed to evaluate the services thoroughly.
If you have any questions on whether or not you need a security review, email firstname.lastname@example.org.
What does the Review process look like?
Early identification and addressing of risk exposures will protect Rice's data, customer and end-user privacy, and ensure compliance with cybersecurity legislation and governance. There are a few steps to the review process.
Review Initiation - A request is made by a project team, department, or individual for a service to be reviewed.
Clarification - At this stage there may be follow up questions via email, questionnaires, or meetings scheduled to gather all relevant information for analysis of the service or services. This may also involve reaching out to vendors, third parties, or Rice partners and will be determined on an as needed basis.
Analysis Report - The ISO compliance team member will gather and analyze the information provided. Once potential risks have been identified, a Security Review Assessment will be completed and distributed to the person who requested the review.
Remediation & Risk Acceptance - The requester(s) can remediate or address any risks that are included in the report, working with the ISO and OIT if needed. All risks identified will be brought to the attention of the business sponsors, owners and executives requesting the given application/project. In the event that risks cannot be mitigated (reduced) or resolved (eliminated), the risk will need to be accepted by the CISO or CIO of the university.
For more on resolving risks to the university, please see our KB article: https://kb.rice.edu/102964