Technology Risk Assessments
Information
The processes documented in the TRA are intended for administrative, operational, and instructional functions. The University's Research community is directed toward the Research Ethics Board.
- The TRA Process is concerned with examining proposed solutions being introduced into the University of Regina's technological environment.
- This introduction of an initiative might include a platform for an operational group, a digital service for a department, or a suite of tools for a particular use case or user.
The TRA Process culminates with a document, which includes recommendations and/or the approval to operated from the University’s process participants based on an assessment of details of the proposed technology.
- The document is to be used for advisory purposes within the University, divisional, departmental, and unit contexts
- This assessment is for submitters to better understand better where risks might exist within the proposed solution across a variety of vectors.
The TRA seeks to satisfy the requirements of the Information Technology Initiatives Policy OPS-080-030, which requires a formal assessment of a technology initiative which utilizes University records to determine if data risk is classified appropriately, data handling standards are applied to mitigate risk, and residual risk is accepted.
The TRA is conducted by the Technology Risk Assessment Committee (TRMC).
The diagram below illustrates the sequence of events.
- The TRA should be considered a resource for our community to better understand better any potential risks associated with technical solutions.
- Due to the diverse nature of the TRA membership (Privacy, Information Security, Procurement, Financial Services, Records and Information Management), the various expertise represented can provide a more complete picture of proposed solutions.
- The TRA Process does not absolve University of Regina, departments/units, or individuals of overall responsibility.
- Risks that are accepted are still risks.
- The TRA Process runs along an approximately 4 week response window, whereby a risk profile report will be generated that will assign a risk level along with any relevant comments from the committee.
- Each of the processes listed separately from the TRA Process may have variable timelines associated with relevant activities.
- Each of these process areas will be informed by the risk report from the Technology Risk Management Committee (TRMC) but will have other concerns that may operate differentially.
- For example, Financial Services may need to research more deeply into an eCommerce solution and may challenge the approach.
- Similarly, Information Services may need to examine the technological architecture and determine an initiative as not a fit for the organizational University's technology footprint.
The TRMC will work to evaluate the proposed solution, determine risk and recommendations, and where appropriate, provide approval to proceed.
Technology Risk Management Committee
The University of Regina’s Technology Risk Management Committee (TRMC) is comprised of 5 central functions within the University of Regina:
- University Secretariat (Compliance and Contracts/Protocol and Privacy Office),
- Financial Services, Supply Management Services,
- Information Services/Information Security,
- Records and Information Management.
- Additional representatives may also be tasked with guest contributions to the TRMC membership on an as needed basis where additional expertise is required.
- Contact he TRMC at TRMC@uregina.ca.
The TRMC is authorized in Information Technology Initiatives Policy OPS-080-030.
Purpose of Technology Risk Assessment
due diligence required to ensure that software, hardware, and data-provisioning initiatives are adequately protected, and/or that the risks involved are understood, recorded and accepted by the required stakeholders within the University.
- While the approach is geared towards technological initiatives, there is great variability in the types of solutions that are within scope.
- Some projects might require a formal Request For Proposal (RFP) based on the costs involved, and others might be cloud-based solutions that have no fees at all.
- Some solutions may require e-commerce transactions, and others may not be geared as such.
- And others may deal with Personally Identifiable Information (PII), while many may not. In each scenario, (significant) risk may exist, and this process is meant to help our partners across the organization understand these components and to assist in mitigating and/or accepting the understood risks.
The University of Regina has a legal obligation and an ethical responsibility to protect the information and processes related to our operational, and academic portfolios.
- One of the ways that we accomplish this goal is through a Technology Risk Assessment (TRA) for any initiative being brought forward at the University of Regina that has some technological (in a broad sense) dimension to it.
This process is geared towards the University community and its partners, employees and operations to understand the risks associated with technology-related solutions.
- The advent of web-based, cloud-oriented applications, along with traditional client/server applications, has grown tremendously, and there has been an acute increase in how these technologies use data (University of Regina’s or others'), interact with other systems, and transmit information.
- Each process may be vulnerable, and the TRA is our institution’s due diligence in understanding the risks.
The TRA is needed to systematically assess risk across the University such that it is evaluated within the context institutional risk appetite.
- It is critical that risk be assessed uniformly so that individual initiatives do not encumber the institution with undue risk. The TRA process also helps support enterprise risk management such that risk is identified, evaluated, and reported.
- The TRA is defined and required by Information Technology Initiatives Policy OPS-080-030.