Risk Assessments

Information Security is always available for consultation!  If you have a question regarding security, compliance or privacy, please reach out to us.  Or, if you would like for us to evaluate an aspect of your business, a risk assessment can be requested at any time.  

What is a risk assessment?

A risk assessment is an identification and analysis of risks faced by the school, centers, departments or groups. Risk is the potential of an incident happening that may result in unwanted loss of an asset or delay to normal business operations. Risk assessments are performed internally or for proposed use of third-party vendors.

When are risk assessments required?

Internal risk assessments are required when a risk to University data is found, on an ad-hoc basis or upon request of a department or center.

A third-party risk assessment is required when a University department or employee contracting with an outside entity that with either:

• Have access to Medical School PHI, PII or Student (FERPA) data
• Host Medical School data on the Medical School's behalf

Why is a risk assessment required?

Risk assessments are performed to ensure that Medical School data and network are adequately protected, contractual obligations concerning information security, compliance and privacy are met and the contract owner is aware of any precautions that need to be taken.

What information is needed in order for Information Security to begin a third-party risk assessment?

To begin a third-party risk assessment, Information Security requires the following:

• A SOC 2, type 2 report or other third-party security attestation from the vendor
• A SOC 2, type 2 report or other third-party security attestation from the vendor's hosting provider
• A completed Vendor Security Questionnaire
• A copy of the proposed contract, Statement of Work (SOW) and any contract appendices such as a Business Associates Agreement, Data Management Agreement (if applicable)

What does the risk assessment process entail?

Information Security will review all information provided, review the sensitivity of the data, proposed architecture and the proposed contract for any security, compliance or privacy language. Information Security will request additional information/documentation from the outside entity to gain clarification around their security controls.   

How do I initiate a risk assessment?

Please submit a risk assessment request via the online form or email to UMassChanInformationSecurity@umassmed.edu

I am not sure if my contract requires a review, what should I do?

Please send us an email at UMassChanInformationSecurity@umassmed.edu.  We would be happy to address your questions and evaluate the need for an assessment.