Risk Assessments

Information Security is always available for consultation!  If you have a question regarding security, compliance or privacy, please reach out to us.  Or, if you would like for us to evaluate an aspect of your business, a risk assessment can be requested at any time.  

What is a risk assessment?

A risk assessment is an identification and analysis of risks faced by the school, centers, departments or groups. Risk is the potential of an incident happening that may result in unwanted loss of an asset or delay to normal business operations. Risk assessments are performed internally or for proposed use of third-party vendors.

When are risk assessments required?

Internal risk assessments are required when a risk to University data is found, on an ad-hoc basis or upon request of a department or center.

A third-party risk assessment is required when a University department or employee contracting with an outside entity that with either:

  • Have access to Medical School PHI, PII or Student (FERPA) data
  • Have access to the Medical School network

Why is a risk assessment required?

Risk assessments are performed to ensure that Medical School data and network are adequately protected, contractual obligations concerning information security, compliance and privacy are met and the contract owner is aware of any precautions that need to be taken.

What information is needed in order for Information Security to begin a third-party risk assessment?

To begin a third-party risk assessment, Information Security requires the following:

  • A SOC 2 report or other third-party attestation from the vendor
  • A completed Vendor Security Checklist
  • A copy of the proposed contract and any contract appendices (if available)

What does the risk assessment process entail?

Information Security will review all information provided, review the sensitivity of the data, proposed architecture and the proposed contract for any security, compliance or privacy language. Information Security will request additional information/documentation from the outside entity to gain clarification around their security controls.   

How do I initiate a risk assessment?

Please submit a risk assessment request via the online form or email to itsecurity@umassmed.edu

I am not sure if my contract requires a review, what should I do?

Please send us an email at itsecurity@umassmed.edu.  We would be happy to address your questions and evaluate the need for an assessment.