Security Review
What is a security review?
A security review is a collaborative process used to identify security-related issues, determine the level of risk associated with those issues, and make informed decisions about risk mitigation or acceptance.
When is a security review needed?
A security review should be completed for all services and service changes that may affect security prior to go-live. Security reviews can also be performed for existing services if business or technical partners determine one is needed – typically in response to security concerns or new security-related requirements.
Steps for completing a security review:
A Security Review template is available at:
Blank - http://its.ucsc.edu/security/docs/issue-matrix.doc
Seeded with common security issues -http://its.ucsc.edu/security/docs/issue-matrix-seeded.doc
- Brainstorming: Identify known or potential security concerns/threats/vulnerabilities
- To be done by technical and business partners together, including IT Policy and Security. This can be by a Service Team if all parties are represented
- The Service Manager or convener of the review should seed the list with already-identified issues prior to the larger brainstorming session
- Note: Common issues are identified in the "seeded" version of the template (link above). Not all pre-seeded issues will apply to all situations. This template also has space to add project-specific issues in addition to the pre-seeded issues.
- Identify existing and planned/scheduled mitigations for each issue
- Rank likelihood (low/med/high) of the issue occurring given existing/planned mitigations, and impact if it were to occur (low/med/high)
- Identify residual risk (low/med/high); risk = likelihood x impact
LikelihoodImpactLowMedHighLowLL-MMMedL-MMHHighMHH - Identify additional possible mitigations to address residual risk, and effort/cost (low/med/high)
- Present information to business partner or Service Sponsor for acceptance/non-acceptance of residual risk.
- Acceptance or non-acceptance should specify any conditions or acceptance as-is.
- Where additional action is required, identify action items, owners, and dates where possible.
Additional Information:
For additional information, to inquire about Service Manager mentoring, or for feedback on this toolkit, please contact Client Services and Security using the ITS Feedback form.