Home / Content / Security Review

Security Review

Each of us at ASU is responsible for the security of ASU’s systems, and we are individually responsible for any technology that we install or use.

The security review process identifies risks and through mitigating controls reduces the overall risk to ASU users, systems, and networks.

A security review is required for all technology purchases including when:

  • ASU is purchasing or leasing software, or processing a software renewal;
  • Supplier is creating any code for ASU;
  • Supplier receives, stores, or analyzes ASU Data (including if the data is not online);
  • Supplier is hosting, or managing by infrastructure outside of ASU, including in the cloud, ASU Data; or
  • Supplier is collecting PII or ASU Data via a link on an ASU.edu or another ASU managed webpage.

Technology purchases exceptions include:

  • Basic computer mice, keyboards, monitors, peripherals
  • Network cards
  • CPUs and GPUs
  • Hard drives
  • Motherboards

What type of Security Review is needed?

The Internal Department Review and the Endpoint Attestation reviews are completed by each unit or department. Please follow your unit’s process.

 

Streamlined ISO Security Review Process (Light and Full)

The ISO Security Review (Light and Full) is based on evidence-based documentation and designed to guide each unit/project team to implement technology solutions in a secure manner.

Our ISO team is ready to engage with your team to ensure your launch of each new initiative is reviewed and configured to utilize necessary risk-reducing measures. This enhanced process relies heavily on industry security standards and vendor documentation as the basis for the security review. The steps are simple:

    1. Email security.review@asu.edu letting us know you are ready to begin a security review. We will immediately assign a security architect, determine the level of security review required and work with your team to assist in gathering security documentation.
    2. Our security architects will work collaboratively with your team over the subsequent days  (and up to two weeks) to review material, evaluate risk, identify mitigating controls, and issue an overall security risk summary.
    3. The security risk summary will be reviewed/approved by the appropriate dean or department head before submitting to procurement or the ASU Risk team.

 

To start a new ISO Light or ISO Full Security Review please e-mail: security.review@asu.edu or open a new ServiceNow ticket. 

To determine the correct review please click on the Start Security Review below:

Start Security Review

UTO Internal Security Review

Documents:

Security Review Attestation Example - Step by Step

Questions? 

Slack us at #gpis-security_reviews or security.review@asu.edu

Or call the ASU Help Desk:

1-844-339-2196 

These are the current ISO review forms. To initiate a security review please download and fill out the following forms:

Email the completed forms to security.review@asu.edu or slack our security team at #iso-security_reviews to complete the review.

Frequently Asked Questions

1. Do I need to complete the Security Self-Assessment form and Internal Review Form for renewals?

Yes. Every technology spend needs to have a completed self-assessment form and internal review form. For renewals you can use the completed review from the prior year if data sensitivity, functionality, and integrations have not changed.

2. How do I know if my technology/software is "new to ASU"?

Please check the UTO Product Catalog to see if the technology is already in use at ASU. If it is not found in the Product Catalog, please email security.review@asu.edu to see if there is a security review on file for the product you are purchasing. Please note - Another department’s security review can only be utilized if the data sensitivity, functionality, and integrations are the same.

3. How do I know I'm working with Sensitive or Highly Sensitive Data?

Our Data Handling Standard has explanations and examples for how ASU classifies certain data. Our standards break data up into 4 categories: Public, Internal, Sensitive, and Highly Sensitive.

4. There are two buttons on the Security Review page. Which one do I use?

The Start Security Review tab is for all departments. The UTO Internal Security Review button is specific to the University Technology Office (UTO). This form links to UTO’s internal security reviews for hardware and software. Internal security reviews are unit specific. If you are not in the UTO department your unit might have a different internal review form. Units are welcome to use the UTO internal review forms if they desire.

Additional Questions?

Slack us at #iso-security_reviews or security.review@asu.edu

ASU Help Desk:

1-844-339-2196