Security Reviews

Each of us at ASU is responsible for the security of ASU’s systems, we are also individually responsible for any technology that we install or use. The security review process identifies risk through mitigating controls and reduces the overall risk to ASU users, systems and networks.

We now accept completed HECVAT Full and HECVAT Lite self-assessments from ASU vendors.

 

Frequently Asked Questions

ASU has two different levels of security reviews:

Each level ensures the appropriate amount of risk management for the situation. To decide which is necessary, use the decision chart below.

  Department Review   ISO Review  
Data Classification Public/Internal Sensitive Sensitive/Highly Sensitive Sensitive
Availability Tier 3 Tier 3 Tier 1 or 2 Tier 3
# of data records All <10,000 All >10,000
Additional considerations    

Integrates into a Tier 1/Tier 2 availability

 
Renewals Prior reviews can by utilized if data sensitivity and integrations have not changed and the review is less than three years old.
(We are working to mature this model to achieve a one year review for all contract renewals.)
     

 

Reference the Data Handling Standard For information on data classification.

Examples of Tier 1/2 Availability Systems include, but are not limited to:

  • Canvas LMS
  • Microsoft Office 365 (3rd party add-ins)
  • Google Workspace (formerly G Suite) (3rd party add-ins)
  • Slack
  • Zoom
  • ServiceNow
  • Workday
  • PeopleSoft
  • Salesforce
  • Atlassian (Jira, Bitbucket, Confluence)
  • BI Server
  • Tableau
  • Adobe Creative Cloud
  • Cloud Service Provider instances managed by ASU
    • Amazon Web Services
    • Google Cloud Platform
    • Microsoft Azure

Renewals

Prior reviews that reside within the same department can be utilized if data sensitivity and integrations have not changed.

For Renewals with Low Risks 

A re-review is required if the original review is over 3 years old.

We are working to mature this model to achieve a 1 year review for all contract renewals.

For Renewals with High or Medium risk

The Accountable Administrator (AA) must accept the risk with each annual renewal. For this reason a re-review should be completed prior to the AA conversation. The vendor's current security posture should be assessed before asking the AA for approval.

This will ensure that any improvements or potential risks will be incorporated in a current risk summary.

The Departmental Review is completed by each unit or department's IT staff. For guidance determining what type of review is needed select the button below:

Self assessment

No. The Self-Assessment document is provided purely as a guidance resource to assist in determining the type of review that needs to be completed.

  • ASU is procuring any of the following:
    • Software
      • Purchasing or leasing software
      • Acquiring free or open-source software
    • Contract renewals of the above
  • Vendor has created any code for ASU
  • Vendor is hosting, or managing infrastructure in any of the following ways:
    • Cloud
    • On-premise vendor data center
  • Vendor is collecting, receiving, storing, or analyzing any of the following regulated data:
    • FERPA
    • HIPAA
    • PCI
    • CUI
    • PII (GDPR, CPAA)
    • Research data
  • Vendor is collecting, receiving, storing, or analyzing any ASU data (including if the data is not online) via a link on an ASU.edu or another ASU managed webpage
  • Technology purchases of the following:
    • Basic computer peripherals
      • mice, keyboards, touch tablets, monitors, speakers
    • Basic computer components
      • CPUs, GPUs, motherboards, HDDs, SSDs, optical drives, network cards
    • Digital subscriptions where ONLY public data is provided to the vendor
      • Digital print media like journals, magazines, newspapers, etc.
      • Digital assets like fonts, images, music, etc.
      • Streaming video on demand services (VIEWING ONLY, cases which upload video will require a security review)

See the short video “ASU Purchasing Process for Technology-Related Products and Services” for an overview. In the video, the security review process is specified as “Technology Review”.

Accountable Administrator is defined as Dean or Department head of the highest level of the business unit.

Directory of DT Leads, Accountable Administrators, Business Administrators and IT technical representatives by department

For additional information, see our ASU IT Community of Practice page.

You can request an SSO integration via CAS, Shibboleth/SAML, or Active Directory Federation Services (ADFS) with the ServiceNow request: Shibboleth connections for connection and authentication to externally hosted applications/sites.

It is the responsibility of the site/application owner to implement the integration on their end. Before purchasing software, contact  the vendor to ensure that it supports SSO capabilities via CAS or SAML. If it does not support this capability, then it is recommended to find an alternative solution that does.

For CAS SSO, all HTTPS (SSL) asu.edu URLs are automatically permitted, so no registration is needed. For non-asu.edu URLs, you will need to submit a ServiceNow form with the details and the SSO team will add it to the CAS registry.

For Shibboleth, if the remote site is part of the InCommon Federation (wiki), no action is required on ASU’s end since we are a participating member. The vendor will only need to add asu.edu as an allowed domain on their end.

If the remote site is not part of the InCommon Federation, you will need to submit a ServiceNow form with contact details for exchanging signed metadata for the SAML integration. That is, you provide your service provider (SP) signed metadata, and the SSO team will give you ASU’s identity provider (IdP) signed metadata. Each of you will then add the respective metadata to your configurations.

For SAML, using Shibboleth provides identity data from the ASU Directory Service (DS LDAP) environment via CAS SSO. Using ADFS provides identity data from the ASU Windows Active Directory environment. Since it uses its own login, it is not a “true” single sign-on.

A complete training and certification program for the purchasing process is available on the Security/Purchasing/Risk Training Certification page.  

If a product or vendor service has an existing ISO Security Review or a Departmental Security Review by your department/business unit, a new review is NOT needed given the following conditions:

  • The Low Risk Review is less than three years old.
  • The Medium or High Risk Review is less than 12 months old. 
  • Data sensitivity and integrations have not changed
  • No changes were made to data handling or vendor security patching/updating upon renewal

Please check the UTO Product Catalog to see if the technology is already in use at ASU. If it is not found in the Product Catalog, please submit your request via ServiceNow to see if there is a security review on file for the product you are purchasing. Please note - Another department’s security review can only be utilized if the data sensitivity, functionality, and integrations are the same.

Our Data Handling Standard has explanations and examples, please see the appendix at the end of the document,  for how ASU classifies certain data. Our standards break data up into 4 categories: Public, Internal, Sensitive, and Highly Sensitive.

Additional questions?

Reach out to us via:

  • Slack: #iso-security_reviews channel
  • ServiceNow - Security Review questions
  • Phone: Call the Experience Center at 1-844-339-2196.