Security Assessments for UMD Units

The Division of Information Technology (DIT) IT Compliance team develops and conducts security assessments as a trusted adviser and/or counselor for Information Systems. Utilizing security controls and standards recommended by the National Institute of Standards and Technology (NIST), the SANS Institute and University System of Maryland IT Security Standards, the IT Compliance team will evaluate the current state of your IT environment against these controls and standards. The IT Compliance team will also provide solutions to any problems or vulnerabilities found throughout the security assessment process.

The goal of a security assessment is to assist units within the University of Maryland (UMD) College Park community. This is made possible via a member of IT Compliance who will review the current configurations of a unit and ensure appropriate security controls are in place to protect confidential data and decrease the likelihood of successful information security incidents. The mission of IT Compliance is to enhance and protect organizational value and improve the University's operations by providing risk-based and objective assurance, advice, and insight. 

Below are example scenarios that would benefit from having a Security Assessment performed by IT Compliance:

Security assessments are only performed upon request. The purpose is to provide a unit with an in-depth review of their current IT standing. Security assessments are beneficial for exposing unknown system vulnerabilities. In addition, an assessment can assist with outlining potential audit findings as well as provide feedback for addressing prior findings from an audit agency. All of the materials associated with a security assessment stay internal to UMD.

In order to request a security assessment, contact with a description of the system(s) and if there are any concerns. Once the request is received, a member of the IT Compliance team will reach out to the requester to set up an introduction interview. This can take place either in-person or over the phone with the requester as well as with members of the unit's IT staff. During this introduction meeting, the scope of the security assessment will be defined. Typically, a security assessment takes at least 30 days to complete. This number can change based on the scope of the review and the rate documentation is provided. Each assessment includes corresponding solutions designed to correct any noted vulnerability. If resources are an issue with implementing any solution, the Division of Information Technology can provide direct assistance.

The IT Compliance team is committed to performing value-added, risk-based security assessments, designed to independently review and evaluate information technology and operational controls throughout the University. 

If you have any questions regarding the security assessment process, please contact