Skip to content
[New School IT logo]

Standard for Security and Privacy Risk Management

Introduction

The New School is committed to privacy by design and by default and to protecting information that is critical to teaching, research, the university’s many activities, its business operations, and the communities it supports. Identifying, assessing, and mitigating risks to the confidentiality, integrity, or availability of Institutional Information, IT Resources, and reviewing the impact that Processing Personal Data may have on the privacy rights of individuals are essential to fulfilling this commitment.

Purpose

This standard establishes the requirements for reviewing IT Resources and Processing activities to identify information security and privacy risks and recommend appropriate controls to mitigate identified risks to an acceptable and reasonable level.

Scope

This standard applies to all New School Institutional Information, IT Resources, and Processing activities, irrespective of whether those resources and activities are operated and maintained by The New School or by a third party on the university’s behalf.

Definitions

Special terms used in this document will be Capitalized and underlined, signifying that they have special meaning. A comprehensive glossary of terms, with examples, can be found at https://ispo.newschool.edu/glossary/.

Requirements

The New School conducts Information Security Risk Assessments to identify threats to the security of Institutional Information and IT Resources that might result in a loss of confidentiality, integrity, or availability. It also conductions Data Protection Impact Assessments in situations where the Processing of Personal Data is likely to result in a high risk to individuals.

When to perform an assessment

The decision tree to determine whether an assessment is needed, and if so which one, is shown below in Figure 1, and described in the text following the figure.

Figure 1. Security and Privacy Risk Assessment Decision Tree
  1. An Information Security Risk Assessment (ISRA) must be performed on any IT Resource used to Process Institutional Information that is Classified at Protection Level PL-3 or PL-4, regardless of whether the system is operated and maintained by New School personnel or by a third party on the university’s behalf, and regardless of whether the system is located in an on-campus or off-campus data center.
  2. An ISRA must be performed on any IT Resource used to Process Institutional Information that is Classified at Protection Level PL-1 or PL-2 if that system is located in an off-campus data center, regardless of whether it is operated and maintained by New School personnel or by a third party on the university’s behalf.
  3. ISRAs are not required for IT Resources used to Process Institutional Information that is Classified at Protection Level PL-1 or PL-2 if the system is located in an on-campus data center
  4. If the system will be Processing Personal Data, the DPIA checklist must be completed to determined whether or not a Data Protection Impact Assessment (DPIA) is necessary.
  5. ISRAs and DPIAs (if needed) must generally be completed prior to purchasing, or making significant changes to, an IT Resource or the categories of Institutional Information it Processes.
  6. Risks identified by an ISRA or a DPIA must be mitigated or accepted prior to the system being placed into operation.
  7. Residual risks (the risks that remain after all compensatory controls and mitigation processes have been implemented) may only be accepted on behalf of the university by persons with the appropriate level of authority as determined by university policy. Generally, this will be the Application Owner or Data Owner if they have signature authority, or their appropriate supervisor if they do not (university policy may override this). Approval authority may be delegated if documented in writing, but ultimate responsibility for the risks cannot be delegated.

Information Security Risk Assessment tools

The New School’s preferred information security risk assessment tool is EDUCAUSE’s Higher Education Community Vendor Assessment Toolkit (HECVAT).

The HECVAT is a questionnaire-based assessment framework specifically designed for higher education to help confirm that information, data, and cybersecurity policies are in place to protect sensitive institutional information and constituents’ personal data. THE HECVAT makes things easier for vendors by enabling them to complete one questionnaire tailored for higher education rather than filling out a multitude of questionnaires that differ for each campus customer. When a potential campus customer asks the vendor to fill out its unique campus questionnaire, the vendor can point them to the HECVAT and say that it’s using the higher education community’s recommended questionnaire instead. And the vendor can assure campus customers that the HECVAT was completed by its security team rather than a well-meaning sales person, providing a higher level of credibility in the process and responses.

The HECVAT tool is offered in three versions, all of which are used by The New School:

  1. The HECVAT Full is a comprehensive (250+ questions) assessment designed for the most sensitive cloud-hosted applications and services. This assessment must be completed for any IT Resource used to Process Institutional Information that is Classified at Protection Level PL-3 or PL-4 if that system is hosted in an off-campus data center. The assessment should be completed by the party that will be operating and maintaining the system on the university’s behalf (usually a Software-as-a-Service provider).
  2. The HECVAT Lite is a lightweight (60+ questions) assessment designed for less sensitive cloud-hosted applications and services. This assessment must be completed for any IT Resource used to Process Institutional Information that is Classified at Protection Level PL-1 or PL-2 if that system is hosted in an off-campus data center. The assessment should be completed by the party that will be operating and maintaining the system on the university’s behalf (usually a Software-as-a-Service provider).
  3. The HECVAT OnPrem is a lightweight (50+ questions) assessment designed for locally-hosted applications and services. This assessment must be completed for any (IT Resource) used to Process Institutional Information that is Classified at Protection Level PL-3 or PL-4 if that system is hosted in an on-campus data center. The assessment should be completed by the system vendor for purchased/licensed software and appliances, or by New School personnel for open-source and internally-developed systems.

The New School will accept HECVAT questionnaires provided either directly to the university by the vendor or made generally available by the vendor via the REN-ISAC Cloud Broker Index. Questionnaires must have been completed within the previous 12 months; if the questionnaire is more than 12 months old a new questionnaire must be completed.

Alternatives to HECVAT

The HECVAT is by no means the only “standard” security assessment on the market, and some vendors may push back on completing one if they have already completed one of the others. The following alternatives are, in most cases, acceptable in place of a completed HECVAT:

  • Cloud Security Alliance (CSA) Consensus Assessment Initiative Questionnaire (CAIQ). A comprehensive (290+ questions) questionnaire-based assessment of the security controls in cloud-based services and their compliance with the CSA’s Cloud Controls Matrix. Questionnaires must have been completed within the previous 12 months; if the questionnaire is more than 12 months old a new questionnaire (or the appropriate HECVAT) must be completed.
  • SSAE 18 SOC 2 Type 2 or SOC 3 audit. A SOC 2 Type 2 (preferred) or SOC 3 audit performed according to SOC 2 Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy as published by the American Institute of Certified Public Accountants (AICPA). The subject of the audit must be the specific environments, systems, and processes used to provide services to The New School. Note: SSAE 18 SOC 1 and SOC 2 Type 1 audits are not acceptable.
  • Cloud Security Alliance (CSA) STAR Attestation. A collaboration between CSA and the AICPA to provide guidelines for CPAs to conduct SOC 2 engagements using criteria from the AICPA (Trust Service Principles, AT 101) and the CSA Cloud Controls Matrix. STAR Attestation provides for rigorous third party independent assessments of cloud providers.
  • ISO/IEC 27001 information security management system certification. ISO/IEC 27001 specifies a management system that is intended to bring information security under management control and gives specific requirements. Organizations that meet the requirements may be certified by an accredited certification body following successful completion of an audit. Certifications are typically valid for three years unless updated.
  • Cloud Security Alliance (CSA) STAR Certification. A rigorous third-party independent assessment of the security of a cloud service provider. The technology-neutral certification leverages the requirements of the ISO/IEC 27001:2013 management system standard together with the CSA Cloud Controls Matrix. Certification certificates follow normal ISO/IEC 27001 protocol and expire after three years unless updated.

Attestations and certifications must be valid at the time they are provided. Pending or in-progress attestations and certifications, unless they are updates to a currently-valid attestation or certification, are not acceptable. Vendors whose attestations or certifications are not currently valid should be encouraged to complete the appropriate HECVAT questionnaire.

Data Protection Impact Assessment

A Data Protection Impact Assessment (DPIA) is performed to describe the Processing of Personal Data, assess its necessity and proportionality, and help manage the risks to the rights and freedoms of natural persons resulting from the Processing by assessing them and determining the measures to address them.

It is not necessary to conduct a DPIA for every Processing operation. A DPIA is only required where the Processing of Personal Data is “likely to result in a high risk to the rights and freedoms of natural persons” (GDPR Article 35). This means that although you have not yet assessed the actual level of risk you need to screen for factors that point to the potential for a widespread or serious impact on individuals.

A DPIA must be performed if The New School plans to:

  • use systematic and extensive Profiling or automated decision-making to make significant decisions about people;
  • Process Special Categories of Personal Data or criminal offense data on a large scale;
  • systematically monitor a publicly accessible place on a large scale;
  • use new or innovative technologies;
  • use Profiling, automated decision-making or Special Categories of Personal Data to help make decisions on someone’s access to a service, opportunity, or benefit;
  • carry out Profiling on a large scale;
  • Process biometric or genetic data;
  • combine, compare, or match data from multiple sources;
  • Process Personal Data without providing a privacy notice directly to the individual;
  • Process Personal Data in a way that involves tracking individuals’ online or offline location or behavior;
  • Process children’s Personal Data for Profiling or automated decision-making or for marketing purposes, or offer online services directly to them; or
  • Process Personal Data that could result in a risk of physical harm in the event of a security breach.

If any changes are made to an existing Processing activity that will result in a material change to the nature, scope, context, or purposes of the Processing, a new DPIA must be performed.

Performance of a DPIA should be considered when The New School plans to carry out any other:

  • evaluation or scoring;
  • automated decision-making with significant effects;
  • systematic Processing of sensitive data or data of a highly personal nature;
  • Processing on a large scale;
  • Processing of data concerning vulnerable Data Subjects (individuals who may not be able to freely consent or object to Processing);
  • innovative technological or organization solutions; or
  • Processing involving preventing Data Subjects from exercising a right or using a service or contract.

Even if there is no specific indication of likely high risk, it is good practice to do a DPIA for any major new project involving the use of Personal Data.

For the criteria above:

  • “Systematic” means that the Processing:

    • occurs according to a system;
    • is pre-arranged, organized, or methodical;
    • takes place as part of a general plan for data collection; or
    • is carried out as part of a strategy.
  • “Extensive” and “large scale” imply the Processing:

    • covers a large area;
    • involves a large volume of data;
    • involves a wide variety of data;
    • affects a large number of individuals; or
    • continues for an extended duration.
  • “Innovative technologies” include, but are not limited to:

    • artificial intelligence, machine learning, and deep learning;
    • connected and autonomous vehicles;
    • intelligent transport systems;
    • smart technologies (including wearables);
    • market research involving neuro-measurement (e.g., emotional response and brain activity); and
    • some “Internet of Things” (IoT) applications, depending on the specific circumstances of the Processing.

If the decision is made not to carry out a DPIA, the reasons for that decision must be documented.

Further guidance on determining whether a DPIA must be conducted, and tools and guidance for conducting one, can be found in the Data Protection Impact Assessment guideline.

References

Review

This standard is reviewed on a periodic basis and updated as necessary by the Information Security and Privacy Office to ensure it remains accurate, relevant, and fit for purpose.

Document history
Date Author Description
Jun 2020 D. Curry
  • Initial publication