Technology Risk Assessment Process
TRA Intake Form - Fill it out?
The following questions can guide you in determining if a TRA is required.
Note: answering Yes on one question will trigger the need for a TRA submission.
- Is your need technological in orientation and new to the organization?
- Does your solution require access to or will create/transmit University records or data?
- Is your solution hosted off campus including by a SaaS vendor or in the cloud?
- Does your vendor (if applicable) require a contract?
- Will the solution interface with existing systems (receive data from an existing system, or send data to another system)?
- Will your solution require any sort of eCommerce transactions using a University of Regina-owned payment processor? Or other-provided payment processor?
- Does your solution require the use of Supply Management Services for the procurement of the technology solution?
If you do not believe you require a technology risk assessment to be completed, please contact TRMC to confirm at TRMC@uregina.ca. Most technology initiatives will require a technology risk assessment.
Please use the TRA Intake form to provide your solution's information.
This is the first step to the technology risk assessment, and will be the primary source of information for the Technology Risk Assessment Committee to review.
- The information in this form will be information that your team can provide in terms of name of initiative, description, impact, nature of data, etc.
- You may need to have your vendor provide certain components for you as questions become more technical (if applicable).
- Please be as specific as possible.
- There are opportunities within the form to upload attachments, etc.
When conducting an RFP for a technology solution, additional information is needed. Vendors should complete the Vendor Assessment Form as part of their submissions and the schedule for the RFP process should accommodate analysis and decision by TRMC prior to award of any contract.
The types of information requested on the TRA Intake form are:
General
- Name of initiative, reason for the solution, contact information, criticality, etc.
- Location and infrastructure in scope
- Parties involved in solution (faculty, department, unit, vendor)
Supply Management Services
- Proposed procurement process
- Contract term length (if applicable)
- Details of licensing and/or costs of purchase (including implementation)
Financial Services (some of this information will be provided via the vendor form)
- Details related to eCommerce requirement
- Payment processing data flow
- PCI compliancy
Privacy and Security
- Nature of data / sensitivity of data
- Volume of data
- Transmission requirements
- Disclosure requirements
- Lifecycle of data
Contractual
- Contract terms - including risk management, liabilities and indemnities
Supporting details
- Attachments such as security controls provided by vendor
- License agreements
- Please fill out all the relevant fields in the TRA Intake form and include the relevant information provided from the vendor, if applicable.
- When finished, please submit this form to trmc@uregina.ca. A member of the TRMC will follow up shortly thereafter to confirm all information has been received.
- There may be some follow up in terms of clarification and/or to obtain other documents.
The TRMC will receive the submission and will develop a document to articulate any potential risks to the application and/or solution at University of Regina.
The solution will be assessed based on:
- Information Risk Classification Framework: based on the type of data included in your solution, the risk associated with the initiative will be classified as low risk, medium risk, or high risk. The Information Risk Classification Framework is defined in Information Technology Initiatives Policy OPS-080-030 Appendix B.
- Data Handling Standards: Each risk classification (as determined in the risk classification framework) has associated standards required for information security.
- Contractual and legal review
- Privacy requirements associated with legislation such as LAFOIP, CASL, and HIPA
- Procurement policies
- Records and Information Management requirements
- Financial requirements such as PCI DSS compliance
Depending on the complexity of the solution, TRMC may need to engage in a meeting to discuss in more details (the TRMC Group meets every month to discuss submissions).
- A typical timeline associated with this process is approximately 4 weeks.
- You will receive a report of the submitted information shortly following the conclusion of the assessment.
This report will provide:
- Classification of the risk based on the data in scope of the solution.
- Risks identified by an evaluation against the data handling standards for the appropriate classification of information risk.
- Risks associated with contracts or agreements, privacy, procurement, records and information management, or financial risk.
- Recommendations to manage identified risk.
- Record of approval to operate.
The TRA Process establishes a risk level.
- Processes such as legal contract negotiation, privacy impact assessments, and e-commerce configurations fall outside the scope of TRA, but may be informed by it.