Technology Risk Assessments

This site provides information about the University of Regina’s Technology Risk Assessments (TRA) process and when you may need to initiate it. It also includes details about which stakeholders from the University are involved from a risk assessment perspective. 

The processes documented in the TRA are intended for administrative, operational, and instructional functions.  The University's Research community is directed toward the Research Ethics Board. The TRA Process is concerned with examining proposed solutions being introduced into the University of Regina's technological environment. This introduction of an initiative might include a platform for an operational group, a digital service for a department, or a suite of tools for a particular use case or user.

The TRA Process culminates with a document, which includes recommendations and/or the approval to operated from the University’s process participants based on an assessment of details of the proposed technology. The document is to be used for advisory purposes within the University, divisional, departmental, and unit contexts. This assessment is for submitters to better understand better where risks might exist within the proposed solution across a variety of vectors.

The TRA seeks to statisfy the requrirements of the Information Technology Initiatives Policy OPS-080-030 which requires a formal assessment of a technology initiative which utilizes University records to determine if data risk is classified appropriately, data handling standards are applied to mitigate risk, and residual risk is accepted.

The TRA is conducted by the Technology Risk Assessment Committee (TRMC)

The diagram below illustrates the sequence of events.


proposedtechinitiative

 

The TRA should be considered a resource for our community to better understand better any potential risks associated with technical solutions. Due to the diverse nature of the TRA membership (Privacy, Information Security, Procurement, Financial Services, Records and Information Management), the various expertise represented can provide a more complete picture of proposed solutions.

The TRA Process runs along an approximately 4 week response window, whereby a risk profile report will be generated that will assign a risk level along with any relevant comments from the committee.

Each of the processes listed separately from the TRA Process may have variable timelines associated with relevant activities. Each of these process areas will be informed by the risk report from the Technology Risk Management Committee (TRMC) but will have other concerns that may operate differentially.

For example, Financial Services may need to research more deeply into an eCommerce solution and may challenge the approach. Similarly, Information Services may need to examine the technological architecture and determine an initiative as not a fit for the organizational University's technology footprint.

The TRMC will work to evaluate the proposed solution, determine risk and recommendations, and where appropriate, provide approval to proceed.  

Note: The TRA Process does not absolve University of Regina, departments/units, or individuals of overall responsibility.  Risks that are accepted are still risks.