Reach out to us via:
- Slack: #iso-security_reviews channel
- ServiceNow - Security Review questions
- Phone: Call the Experience Center at 1-844-339-2196.
Each of us at ASU is responsible for the security of ASU’s systems, we are also individually responsible for any technology that we install or use. The security review process identifies risk through mitigating controls and reduces the overall risk to ASU users, systems and networks.
ASU has two different levels of security reviews:
Each level ensures the appropriate amount of risk management for the situation. To decide which is necessary, use the decision chart below.
|Department Review||ISO Review|
|Data Classification||Public/Internal||Sensitive||Sensitive/Highly Sensitive||Sensitive|
|Availability||Tier 3||Tier 3||Tier 1 or 2||Tier 3|
|# of data records||All||<10,000||All||>10,000|
Integrates into a Tier 1/Tier 2 availability
|Renewals||Prior reviews can by utilized if data sensitivity and integrations have not changed and the review is less than three years old.
(We are working to mature this model to achieve a one year review for all contract renewals.)
Reference the Data Handling Standard For information on data classification.
Examples of Tier 1/2 Availability Systems include, but are not limited to:
Prior reviews that reside within the same department can be utilized if data sensitivity and integrations have not changed.
For Renewals with Low Risks
A re-review is required if the original review is over 3 years old.
We are working to mature this model to achieve a 1 year review for all contract renewals.
For Renewals with High or Medium risk
The Accountable Administrator (AA) must accept the risk with each annual renewal. For this reason a re-review should be completed prior to the AA conversation. The vendor's current security posture should be assessed before asking the AA for approval.
This will ensure that any improvements or potential risks will be incorporated in a current risk summary.
The Departmental Review is completed by each unit or department's IT staff. For guidance determining what type of review is needed select the button below:
No. The Self-Assessment document is provided purely as a guidance resource to assist in determining the type of review that needs to be completed.
Accountable Administrator is defined as Dean or Department head of the highest level of the business unit.
For additional information, see our ASU IT Community of Practice page.
You can request an SSO integration via CAS, Shibboleth/SAML, or Active Directory Federation Services (ADFS) with the ServiceNow request: Shibboleth connections for connection and authentication to externally hosted applications/sites.
It is the responsibility of the site/application owner to implement the integration on their end. Before purchasing software, contact the vendor to ensure that it supports SSO capabilities via CAS or SAML. If it does not support this capability, then it is recommended to find an alternative solution that does.
For CAS SSO, all HTTPS (SSL) asu.edu URLs are automatically permitted, so no registration is needed. For non-asu.edu URLs, you will need to submit a ServiceNow form with the details and the SSO team will add it to the CAS registry.
For Shibboleth, if the remote site is part of the InCommon Federation (wiki), no action is required on ASU’s end since we are a participating member. The vendor will only need to add asu.edu as an allowed domain on their end.
If the remote site is not part of the InCommon Federation, you will need to submit a ServiceNow form with contact details for exchanging signed metadata for the SAML integration. That is, you provide your service provider (SP) signed metadata, and the SSO team will give you ASU’s identity provider (IdP) signed metadata. Each of you will then add the respective metadata to your configurations.
For SAML, using Shibboleth provides identity data from the ASU Directory Service (DS LDAP) environment via CAS SSO. Using ADFS provides identity data from the ASU Windows Active Directory environment. Since it uses its own login, it is not a “true” single sign-on.
If a product or vendor service has an existing ISO Security Review or a Departmental Security Review by your department/business unit, a new review is NOT needed given the following conditions:
Please check the UTO Product Catalog to see if the technology is already in use at ASU. If it is not found in the Product Catalog, please submit your request via ServiceNow to see if there is a security review on file for the product you are purchasing. Please note - Another department’s security review can only be utilized if the data sensitivity, functionality, and integrations are the same.
Our Data Handling Standard has explanations and examples, please see the appendix at the end of the document, for how ASU classifies certain data. Our standards break data up into 4 categories: Public, Internal, Sensitive, and Highly Sensitive.
Reach out to us via: