Purpose of Technology Risk Assessment

The purpose of Technology Risk Assessments (TRA) as a process is to provide for the University of Regina the due diligence required to ensure that software, hardware, and data-provisioning initiatives are adequately protected, and/or that the risks involved are understood, recorded and accepted by the required stakeholders within the University.

While the approach is geared towards technological initiatives, there is great variability in the types of solutions that are within scope. Some projects might require a formal Request For Proposal (RFP) based on the costs involved, and others might be cloud-based solutions that have no fees at all. Some solutions may require e-commerce transactions, and others may not be geared as such. And others may deal with Personally Identifiable Information (PII), while many may not. In each scenario, (significant) risk may exist, and this process is meant to help our partners across the organization understand these components and to assist in mitigating and/or accepting the understood risks.

The University of Regina has a legal obligation and an ethical responsibility to protect the information and processes related to our operational, and academic portfolios. One of the ways that we accomplish this goal is through a Technology Risk Assessment (TRA) for any initiative being brought forward at the University of Regina that has some technological (in a broad sense) dimension to it.

This process is geared towards the University community and its partners, employees and operations to understand the risks associated with technology-related solutions. The advent of web-based, cloud-oriented applications, along with traditional client/server applications, has grown tremendously, and there has been an acute increase in how these technologies use data (University of Regina’s or others'), interact with other systems, and transmit information. Each process may be vulnerable, and the TRA is our institution’s due diligence in understanding the risks.

The TRA is needed to systematically assess risk across the University such that it is evaluated within the context insitutional risk appetite.  It is critical that risk be assessed uniformly so that individual initiatives do not encumber the insitution with undue risk.  The TRA process also helps support enterprise risk management such that risk is identified, evaluated, and reported.

The TRA is defined and required by Information Technology Initiatives Policy OPS-080-030.