BSD Security Assessment and Authorization (SAA)

Have you ever asked…

  • Is my existing or new system secure?
  • Is my research data safe?
  • How do I obtain security configurations for grants or IRB approval?

If so, the BSD Information Security Office (ISO) can assist you with identifying security requirements with your project and ensure that these systems are protecting your data through the Security Assessment and Authorization (SAA) service.

The goals of the SAA processes are to provide a consistent approach for identifying and quantifying security risks of information systems supporting academic and research activities and to provide the BSD with a better understanding of the security risks within the BSD network.

 

Workflow diagram for the Security Assessment and Authorization Service process

 

The BSD SAA consists of four phases where the primary objective is to assist Information System Owners with conforming to security best practices and ensuring systems align with organizational cyber security policies.

The BSD SAA process builds on our current tools for assessing departments including the BSD Cyber Security Policies and Standards, Cyber Security Assessment Tool (CSAT), Vulnerability Management and CIS-CAT.

The Information System Owner will complete a questionnaire in BSD ISO’s Governance Risk and Compliance tool, LockPath, to capture the required information needed to assess the associated security risk of deploying an information system within the BSD.

Please use the following process for completing the Security Assessment and Authorization process for a BSD system supporting academic and research activities.

  • Step 1 – Email security@bsd.uchicago.edu with the name of the system that requires a security assessment.
  • Step 2 – BSD ISO IT Cyber Risk Analyst will initiate a new request in LockPath and the requestor will receive an email with a link to the questionnaire with further instructions.
  • Step 3 – If additional information is required including supporting documents, dataflow diagrams, etc., a BSD ISO IT Cyber Risk Analyst will contact the information system owner to discuss the questionnaire and the additional information required.
  • Step 4 – Using the information submitted, the IT Cyber Risk Analyst will perform a risk analysis of the system.
  • Step 5 – After the risk analysis is completed, the IT Cyber Risk Analyst will schedule a call to discuss the findings with the information system owner and if necessary develop a risk reduction plan.
  • Step 6 – The system’s risk reduction plan is then presented to the BSD ISO Leadership to determine if the system falls within defined risk thresholds and is Authorized To Operate (ATO).

Frequently Asked Questions

Q1. Are the results of my review confidential? 

A1. The LockPath form is only accessible to the requestor and the BSD ISO. During the course of the review additional teams may need to be consulted to conduct a review.

Q2. What type of systems should complete the BSD Security Assessment and Authorization process?

A2. Any planned, new or existing information systems that supports the BSD academic and research activities are expected to complete the SAA process.

Q3. How long will the security assessment and authorization process take?

A3. The SAA process could take approximately 1-2 weeks once all necessary information is received by the BSD ISO.

Q4. Will I still be able to operate my system if it is not authorized?

A4. Yes, this SAA process will not hinder any research systems from operating. The BSD ISO will work with the system owners to develop a risk reduction plan with a timeline to bring the system within the organizational risk thresholds.

Q5. Will my system be HIPAA compliant after completing SAA process?

A5. The SAA process utilizes the NIST Cyber Security Framework which aligns to HIPAA controls. Although, this process does not certify for HIPAA compliance.