Security Review

What is a security review?
A security review is a collaborative process used to identify security-related issues, determine the level of risk associated with those issues, and make informed decisions about risk mitigation or acceptance.

When is a security review needed?
A security review should be completed for all services and service changes that may affect security prior to go-live. Security reviews can also be performed for existing services if business or technical partners determine one is needed – typically in response to security concerns or new security-related requirements.

Steps for completing a security review:

A Security Review template is available at:
Blank - http://its.ucsc.edu/security/docs/issue-matrix.doc
Seeded with common security issues -http://its.ucsc.edu/security/docs/issue-matrix-seeded.doc

  1. Brainstorming: Identify known or potential security concerns/threats/vulnerabilities
    1. To be done by technical and business partners together, including IT Policy and Security. This can be by a Service Team if all parties are represented
    2. The Service Manager or convener of the review should seed the list with already-identified issues prior to the larger brainstorming session
    3. Note: Common issues are identified in the "seeded" version of the template (link above). Not all pre-seeded issues will apply to all situations. This template also has space to add project-specific issues in addition to the pre-seeded issues.
  2. Identify existing and planned/scheduled mitigations for each issue
  3. Rank likelihood (low/med/high) of the issue occurring given existing/planned mitigations, and impact if it were to occur (low/med/high)
  4. Identify residual risk (low/med/high); risk = likelihood x impact 
       
    Likelihood
    Impact
     
    Low
    Med
    High
    Low
    L
    L-M
    M
    Med
    L-M
    M
    H
    High
    M
    H
    H
  5. Identify additional possible mitigations to address residual risk, and effort/cost (low/med/high)
  6. Present information to business partner or Service Sponsor for acceptance/non-acceptance of residual risk.
    1. Acceptance or non-acceptance should specify any conditions or acceptance as-is.
    2. Where additional action is required, identify action items, owners, and dates where possible.

Additional Information:
For additional information, to inquire about Service Manager mentoring, or for feedback on this toolkit, please contact Client Services and Security using the ITS Feedback form.