Risk Assessments for Systems, Applications and Browser Extensions


In this article

The Division of Information Technology (DIT) IT Compliance team performs risk assessments of potential third party IT products. Performing a risk assessment on a product before it is procured is an industry best practice. In addition, the completion of each assessment ensures that the University of Maryland (UMD) complies with University System of Maryland IT Security Standards.

When should a risk assessment be performed?

A risk assessment should ALWAYS be performed for some IT products, including but not limited to:

Risk assessments ensure that the company is reputable and that the potential product has an adequate security stature to handle the proposed data elements. 

Why are risk assessments necessary?

By completing a risk assessment before procuring an IT product, the university confirms the following:

How long do risk assessments take to complete?

Typically, a full risk assessment takes between 15-45 business days to complete. This depends greatly on vendor responses and the classification of proposed data elements. Because it takes so much time and resources to complete, we ask that notice is provided in advance. Due to the various factors involved with these reviews, completing an assessment in under a month's time can be difficult, especially before the start of a semester or at the end of the financial year in June.

Since resources are finite and reviews take a considerable amount of time to complete there is a slightly different process with applications and browser extensions, especially if they are free. We acknowledge that there are many products available that make both life and time extensive process go faster. However, everything has a price.

Before requesting a risk assessment

If there is interest in a free or very inexpensive application or browser extension, we ask that the following is performed before a request is made for a risk assessment:

Areas of concern

Certain qualities about an application can cause concern:

Just because applications or extensions are available in application stores (e.g. Google Play, Apple Store), it does not guarantee that the product will handle your data in a secure manner.

Questions?

For questions about the risk assessment process or if there is a desire to have a product reviewed please reach out to IT-Compliance@umd.edu.