BSD Security Assessment and Authorization (SAA)
Have you ever asked…
- Is my existing or new system secure?
- Is my research data safe?
- How do I obtain security configurations for grants or IRB approval?
If so, the BSD Information Security Office (ISO) can assist you with identifying security requirements with your project and ensure that these systems are protecting your data through the Security Assessment and Authorization (SAA) service.
In March 2016, a working group consisting of University of Chicago stakeholders was established to develop the risk-based BSD Security Assessment and Authorization (SAA) process and procedures. The implementation of the risk-based SAA process assists the BSD in understanding the security risk imposed by information systems supporting academic and research activities.
The goals of the SAA processes are to provide a consistent approach for identifying and quantifying security risks of information systems supporting academic and research activities and to provide the BSD with a better understanding of the security risks within the BSD network.
The BSD SAA consists of four phases where the primary objective is to assist Information System Owners with conforming to security best practices and ensuring systems align with organizational cyber security policies.
The BSD SAA process builds on our current tools for assessing departments including the BSD Cyber Security Policies and Standards, Cyber Security Assessment Tool (CSAT), Vulnerability Management and CIS-CAT.
The Information System Owner uses the SAA Tool (MS Excel Workbook) to capture the required information needed to assess the associated security risk of deploying an information system within the BSD.
Please use the following process for completing the Security Assessment and Authorization process for a BSD system supporting academic and research activities.
- Step 1 – Download and read the BSD Security Assessment and Authorization procedures document
- Step 2 – Download the BSD SAA Data Gathering Form and the information system owner will complete and e-mail to the BSD ISO security mailbox at firstname.lastname@example.org
- Step 3 – A BSD ISO IT Cyber Risk Analyst will contact the information system owner to discuss the Data Gathering Form and request additional information if needed.
- Step 4 – If a full security assessment is required, the information system owner will provide system design criteria and complete a questionnaire in the BSD SAA tool. The information system owner will e-mail the SAA package including supporting documentation to the assigned IT Cyber Risk Analyst.
- Step 5 – The IT Cyber Risk Analyst will perform a risk analysis of the SAA packaged submitted by the information system owner.
- Step 6 – After the risk analysis is completed, the IT Cyber Risk Analyst will work with the information system owner to develop a risk reduction plan.
- Step 7 – The system’s risk reduction plan is then presented to the BSD ISO Leadership to determine if the system falls within defined risk thresholds and is Authorized To Operate (ATO)
Frequently Asked Questions
Q1. Is there a way that I can confidentially submit a system for review?
A1. Contact the BSD ISO directly via email@example.com for anonymous & confidential submissions and questions.
Q2. What type of systems should complete the BSD Security Assessment and Authorization process?
A2. Any planned, new or existing information systems that supports the BSD academic and research activities are expected to complete the SAA process.
Q3. How long will the security assessment and authorization process take?
A3. The SAA process could take approximately 2-4 weeks depending on the complexity of the system and assuming information is provided in a timely fashion.
Q4. Will I still be able to operate my system if it is not authorized?
A4. Yes, this SAA process will not hinder any research systems from operating. The BSD ISO will work with the system owners to develop a risk reduction plan with a timeline to bring the system within the organizational risk thresholds.
Q5. Will my system be HIPAA compliant after completing SAA process?
A5. The SAA process utilizes the NIST Cyber Security Framework which aligns to HIPAA controls. Although, this process does not certify for HIPAA compliance.