Software IT Security Risk Assessment

Questions? Contact SCM Response Team

Overview

Guidance on how and when to do an IT security risk assessment.

IT Security Risk Assessment requirement

If you are purchasing a software product or a cloud service that creates, stores, processes or transmits UCSF data, a full security risk assessment may be required. In addition, computing devices associated with the system including  desktop computers and laptops (those not purchased via BearBuy catalogs -- Apple, CDWG, Dell, SHI); servers, mobile devices, network hardware, and other related technologies may require a risk assessment. To determine if a full assessment is required, you will need to consult with IT Security at [email protected] as part of the procurement process.

The University of California (UC) Electronic Information Security policy (BFB IS-3), requires that all systems that create, store, process or transmit data internally at UCSF or externally through a supplier or other third party must be assessed for risk. This applies to all UCSF data, including, but not limited to:

  • Protected Health Information (PHI)
  • Personally identifiable information (PII)
  • Payment Card Industry (PCI)
  • Research Health Information (RHI)
  • Family Educational Rights and Privacy Act (FERPA) 
  • Other restricted or sensitive data

UCSF prioritizes the highest-risk systems for a full security risk assessment.

How to request an IT Security Risk Assessment

Contact IT Security at [email protected] to determine if a risk assessment is required. After the IT Security review, you will receive a Risk Assessment Intake Email Response that indicates if an assessment is required.

If no assessment is required, attach that email response to your BearBuy requisition. If a full risk assessment is required, you will need to complete the assessment before you submit your requisition. If an assessment is required, you will need to attach the Risk Assessment Completion Email to your requisition.

Other Useful References