Table of contents
The Division of Information Technology (DIT) IT Compliance team performs risk assessments of potential third party IT products. Performing a risk assessment on a product before it is procured is an industry best practice. In addition, the completion of each assessment ensures that the University of Maryland (UMD) complies with University System of Maryland IT Security Standards.
When should a risk assessment be performed?
A risk assessment should ALWAYS be performed for some IT products, including but not limited to:
- Enterprise resource planning (ERP) systems.
- Software as a service (SaaS).
- Cloud storage.
- Customer relationship management (CRM) systems.
Risk assessments ensure that the company is reputable and that the potential product has an adequate security stature to handle the proposed data elements.
Why are risk assessments necessary?
By completing a risk assessment before procuring an IT product, the university confirms the following:
- University data will be adequately secured.
- Any transmitted data remains the property of UMD.
- The product is accessible for all potential users.
- Data privacy is defined and suitable.
How long do risk assessments take to complete?
Typically, a full risk assessment takes between 15-45 business days to complete. This depends greatly on vendor responses and the classification of proposed data elements. Because it takes so much time and resources to complete, we ask that notice is provided in advance. Due to the various factors involved with these reviews, completing an assessment in under a month's time can be difficult, especially before the start of a semester or at the end of the financial year in June.
Since resources are finite and reviews take a considerable amount of time to complete there is a slightly different process with applications and browser extensions, especially if they are free. We acknowledge that there are many products available that make both life and time extensive process go faster. However, everything has a price.
Before requesting a risk assessment
If there is interest in a free or very inexpensive application or browser extension, we ask that the following is performed before a request is made for a risk assessment:
- Verify that the product or vendor has a privacy policy.
- Read over the privacy policy as if you were housing your personal data.
- Determine the country of origin the product was developed.
Areas of concern
Certain qualities about an application can cause concern:
- The vendor does not have a privacy policy.
- The vendor's privacy policy allows them to share all data freely with whomever they please.
- If the vendor is outside the U.S., it is likely that all data they collect will be stored outside the U.S. as well.
Just because applications or extensions are available in application stores (e.g. Google Play, Apple Store), it does not guarantee that the product will handle your data in a secure manner.
Questions?
For questions about the risk assessment process or if there is a desire to have a product reviewed please reach out to IT-Compliance@umd.edu.