Below are three sets of questions to help you assess risk and associated security practices in your department: a general risk assessment, a HIPAA supplement, and a combined GLBA and FERPA supplement. For each question set the template asks you: 1) to indicate whether your department is currently following the identified practice, and 2) to record the location of compliance documentation or an explanation of why a practice is not followed.
Note: Certain standards may require special diligence on your department’s part. See Appendices D, E and F to determine if HIPAA, GLBA or FERPA legislation applies to your department. A requirement for departmental compliance with these laws will affect decision points in the question sets below. Your department should answer the general question set, as well as all supplemental sets that cover types of data that you house.
Medical Center (Agency 209) departments responsible for systems identified in Health System Policy 0218 (and listed in Appendix C) must substitute the RiskWatch assessment tool administered by HS/CS for the ITS-RM question sets provided in this section. Other Medical Center (Agency 209) departments have the option of using either the RiskWatch tool or the ITS-RM question sets that follow. For additional information on the RiskWatch tool, contact Jay Early <jee@virginia.edu>.
All Agency 207 (Academic Division) and 246 (College at Wise) departments should use the ITS-RM question sets.
The general risk assessment questions (as well as some of the IT mission continuity questions in the next section) come from several sources: 1) an Internal Audit questionnaire that was adapted from ITC’s Department Computer Security Self-Assessment Checklist; 2) questions based on the state IT security standard developed independently by the Virginia Alliance for Secure Computing and Networking <http://www.vascan.org/> and HS/CS; and 3) other questions identified during ITS-RM design and implementation planning that seemed prudent to include. These were edited and adapted where appropriate.
The HIPAA-related questions come from HS/CS.
The GLBA-related questions are adapted from “Financial Institutions and Customer Data: Complying with the Safeguards Rule,” Federal Trade Commission, September 2002. The FERPA-related questions are also adapted from the FTC document, which outlines best practices in securing protected data. Additional questions appropriate to the University environment were added.
If any of these question sets do not apply to your department, please skip down to the next set.
(A copy of this template, as well as all the other templates required to complete your department’s report on the ITS-RM process, is available in Word format here and Adobe PDF format here.