Technology Risk Assessments
WELCOME TO THE TECHNOLOGY RISK ASSESSMENTS WEBSITE
Within the pages of this site, you will find information related to Technology Risk Assessments (TRA), who is involved from a committee perspective, and when you may need to engage the process.
Largely, the TRA process is concerned with examining a proposed solution being introduced into the Western University technological environment. This introduction of an initiative might include a platform for an operational group, a digital service for a department, or a suite of tools for a particular researcher.
The TRA should be considered as a resource for our community to better understand any (potential) risks associated with a technical solution. Due to the diverse nature of the TRA membership (Legal, Privacy Office, WTS, CISO, Procurement, Financial Services, Research Services, and Internal Audit), the various expertise represented can give you a better picture of your proposed solution.
The TRA process culminates with a document which constitutes an opinion from the committee based on an in-depth assessment. The document is to be used for advisory purposes within the organizational, divisional, departmental, and unit contexts. This assessment is for submitters to better understand where risks might exist within the proposed solution across a variety of vectors. It is important to note that this document is not a decision or an approval of a given project, but rather an articulation of potential risks associated with it.
Specifically, the TRA process may conclude with outstanding activities still required by Western Technology Services, Legal Counsel (contract negotiation), the Privacy Office (privacy impact assessment), and Financial Services (Bankcard Committee).
The diagram below illustrates the sequence of events.
The TRA Process runs along a 2-4 week response window whereby a risk profile report will be generated that will assign a risk level along with any pertinent comments from the committee.
Each of the processes listed separately from the TRA Process may have variable timelines associated with relevant activities. Each of these process areas will be informed by the risk report from TRA Committee (TRAC), but will have other concerns that may operate differentially.
For example, the Bankcard Committee may need to drill more deeply into an eCommerce solution and may challenge the approach. Similarly, Western Technology Services may examine the technological architecture and determine an initiative as not a fit for the organizational technology footprint at large.
The report generated through the process will provide an assessment into one of three categories:
- LOW RISK
- MEDIUM RISK
- HIGH RISK
Solutions that are categorized as LOW RISK should move forward accordingly and the report may be used where required or as requested.
Please see the areas designated for Researchers and Administrative/Operations units for information related to MEDIUM RISK and HIGH RISK assessments.
The TRA process establishes a risk level. Processes such as legal contract negotiation, privacy impact assessments, and ecommerce configurations fall outside the scope of TRA, but may be informed by it.
PLEASE NOTE: THE TRA PROCESS DOES NOT ABSOLVE WESTERN, DEPARTMENTS/UNITS, OR INDIVIDUALS OF OVERALL RESPONSIBILITY – RISKS THAT ARE ACCEPTED ARE STILL RISKS.
Published on and maintained in Cascade CMS.