What is a security review?
A security review is a collaborative process used to identify security-related issues, determine the level of risk associated with those issues, and make informed decisions about risk mitigation or acceptance.
When is a security review needed?
A security review should be completed for all services and service changes that may affect security prior to go-live. Security reviews can also be performed for existing services if business or technical partners determine one is needed – typically in response to security concerns or new security-related requirements.
Steps for completing a security review:
A Security Review template is available at:
Blank - http://its.ucsc.edu/security/docs/issue-matrix.doc
Seeded with common security issues -http://its.ucsc.edu/security/docs/issue-matrix-seeded.doc
- Brainstorming: Identify known or potential security concerns/threats/vulnerabilities
- To be done by technical and business partners together, including IT Policy and Security. This can be by a Service Team if all parties are represented
- The Service Manager or convener of the review should seed the list with already-identified issues prior to the larger brainstorming session
- Note: Common issues are identified in the "seeded" version of the template (link above). Not all pre-seeded issues will apply to all situations. This template also has space to add project-specific issues in addition to the pre-seeded issues.
- Identify existing and planned/scheduled mitigations for each issue
- Rank likelihood (low/med/high) of the issue occurring given existing/planned mitigations, and impact if it were to occur (low/med/high)
- Identify residual risk (low/med/high); risk = likelihood x impact
- Identify additional possible mitigations to address residual risk, and effort/cost (low/med/high)
- Present information to business partner or Service Sponsor for acceptance/non-acceptance of residual risk.
- Acceptance or non-acceptance should specify any conditions or acceptance as-is.
- Where additional action is required, identify action items, owners, and dates where possible.
For additional information, to inquire about Service Manager mentoring, or for feedback on this toolkit, please contact Client Services and Security using the ITS Feedback form.