Purpose
The purpose of this procedure is to provide procedures for departments requesting new information systems for use at The University of Texas-Pan American.
|
Scope
The Information Security Department is responsible to ensure information systems implemented at UTPA are secure and do not introduce risk into the University information technology infrastructure. The IT Security Office will present a formal risk assessment to the requesting department. It is the responsibility of the department’s management to determine if the business need for the system out weighs any risks identified by the assessment process.
|
Prerequisites
- When it is determined that a new information system is required at UTPA, the Information Security Office should be contacted as early as possible, ideally during the discovery stage to avoid delays in the evaluation stage.
- Requesting Department should ensure compliance with Federal, DIR (Department of Information Resources), UT System, and UTPA requirements.
|
Responsibilities
- For hosted systems, requesting department should ensure the companies under review have a SAS70 audit report, PCI Compliance audit, or other comparable audit the verifies the security and integrity of the data.
- Information Security will observe the following procedure.
|
Procedure
- Conduct a preliminary risk assessment on products reviewed
- Document formal risk assessment on selected product
|
References
- UTS 165 is a UT System policy which defines requirements for new systems implemented.
- TAC 202 is the Texas Administration Code which defines information security standards for the State of Texas.
|
Definitions
- Risk Assessment – process used to identify risk and rank as high, medium or low.
|
