Technology Risk Assessment Process

Below you will find the steps to follow for collecting and submitting the documentation required for the technology risk assessment to the Technology Risk Assessment Committee (TRMC) for review.

A process diagram map is availabe to show the workflow of the TRMC's evaluation of a technology risk assessment.

Do you need to fill out and submit a TRA Intake Form? 

The following questions can guide you in determining if a TRA is required.  Note: answering yes on one question will trigger the need for a TRA submission.
  • Is your need technological in orientation and new to the organization?
  • Does your solution require access to or will create/transmit University records or data?
  • Is your solution hosted off campus including by a SaaS vendor or in the cloud?
  • Does your vendor (if applicable) require a contract?
  • Will the solution interface with existing systems (recieve data from an existing system, or send data to another system)?
  • Will your solution require any sort of eCommerce transactions using a University of Regina-owned payment processor?  Or other-provided payment processor?
  • Does your solution require the use of Supply Management Services for the procurement of the technology solution?

If you do not believe you require a technology risk assessment to be completed, please contact TRMC to confirm.  Most technology initiatives will require a technology risk assessment.

Filling Out the Intake Form

Please use the TRA Intake form to provide your solution's information.  This is the first step to the technology risk assesment, and will be the primary source of information for the Technology Risk Assessment Committee to review.

The information in this form will be information that your team can provide in terms of name of initiative, description, impact, nature of data, etc. You may need to have your vendor provide certain components for you as questions become more technical (if applicable). 

Please be as specific as possible.

There are opportunities within the form to upload attachments, etc.

The types of information requested are:

  • General
    • Name of initiative, reason for the solution, contact information, criticality, etc.
    • Location and infrastructure in scope
    • Parties involved in solution (faculty, department, unit, vendor)
  • Supply Management Services
    • Proposed procurement process
    • Contract term length (if applicable)
    • Details of licensing and/or costs of purchase (including implementation)
  • Financial Services (some of this information will be provided via the vendor form)
    • Details related to eCommerce requirement
    • Payment processing data flow
    • PCI compliancy
  • Privacy and Security
    • Nature of data / sensitivity of data
    • Volume of data
    • Transmission requirements
    • Disclosure requirements
    • Lifecycle of data
  • Contractual
    • Contract terms - including risk management, liabilities and indemnities
  • Supporting details
    • Attachments such as security controls provided by vendor
    • License agreements

Submit the Form

Please fill out all the relevant fields in the TRA Intake form and include the relevant information provided from the vendor, if applicable.

When finished, please submit this form to trmc@uregina.ca. A member of the TRMC will follow up shortly thereafter to confirm all information has been received.

There may be some follow up in terms of clarification and/or to obtain other documents.

Process Following Submission

The TRMC will receive the submission and will develop a document to articulate any potential risks to the application and/or solution at University of Regina. 

The solution will be assessed based on:

  • Information Risk Classification Framework: based on the type of data included in your solution, the risk associated with the initiative will be classified as low risk, medium risk, or high risk.  The Information Risk Classification Framework is defined in Information Technology Initiatives Policy OPS-080-030 Appendix B.
  • Data Handling Standards: Each risk classfiication (as determined in the risk classification framework) has associated standards required for information security.  
  • Contractual and legal review
  • Privacy requirements associated with legislation such as LAFOIP, CASL, and HIPA
  • Procurement policies
  • Records and Information Management requirements
  • Financial requirements such as PCI DSS compliance

Depending on the complexity of the solution, TRMC may need to engage in a meeting to discuss in more details (the TRMC Group meets every month to discuss submissions).

A typical timeline associated with this process is approximately 4 weeks.

You will receive a report of the submitted information shortly following the conclusion of the assessment. 

This report will provide:

  • Classification of the risk based on the data in scope of the solution.
  • Risks identified by an evaluation against the data handling standards for the appropriate clasification of information risk.
  • Risks associated with contracts or agreements, privacy, procurement, records and information management, or financial risk.
  • Recommendations to manage identified risk.
  • Record of approval to operate.

The TRA Process establishes a risk level. Processes such as legal contract negotiation, privacy impact assessments, and e-commerce configurations fall outside the scope of TRA, but may be informed by it.