Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 5 Next »

Frequently Asked Questions about the UCI Security Risk Assessment Questionnaire (SRAQ)

  • What is the SRAQ?
    • The SRAQ is a tool (Word document with macros) to guide you through the security risk assessment process for a system, to get you to think about and document the components, threats, countermeasures, and other key information required when assessing risk.  It also provides a worksheet for risk acceptance and action items for risk reduction.  It is primarily used as a self-assessment tool, but is also the basis providing the required information gathering for audits and security reviews.  It can also be given to a vendor during an RFP or contracting phase for them to document how they will protect your data.
  • Where can I download the tool?
  • What is the "LITE" version vs the regular version?
    • The "LITE" version is the same document except has the detailed items under each control section removed to lower the number of pages.  It may be used for a low or medium risk system, however any high risk system should use the full version.  Also even for low/medium risk assessments, having the detailed items help explain each control section and can help answer questions people have filling it out, even if they don't choose to address each detail.
  • Responsible Parties: Who is the Proprietor, Custodian, and Information Security Coordinator?
  • Information Classification: Which data elements do I need to include?
    • At a minimum include all data elements in the system that are classified as "restricted" or "sensitive" based on http://security.uci.edu/plan-classification.php.  You can also include "normal" classified data as space permits, especially if it has special availability requirements (downtime tolerance of hours or less).

 

  • No labels