This security risk assessment document collects information about a project to determine if a security assessment is required. It asks questions about the project's business need, whether it involves restricted or sensitive data, who will access the system, and what known security risks exist. The project manager is responsible for gathering this information by meeting with relevant individuals. Signatures from the project manager, director of technical planning and security, client, and associate vice chancellor or director of ITS are required to certify the accuracy of the information provided.

1. Security Risk Assessment
Project Work ID: <Remedy ID>
Project Title: <Meaningful Title for Project>
Prepared by: <Name of Project Manager>
Date of Document: <MM/DD/YYYY>
1. BUSINESS NEED
2. RISK QUESTIONS
The goal of these questions is to have the individual submitting a “need for security risk assessment”
to provide enough information to determine if an assessment should be performed.
2.1 What is the mission/business need for the system/service/application?
2.2 Is there an architecture document available? If so, please provide it.
2.3 Is the service or application considered an enterprise application/service1?
2.3.1 Does the application provide functional support to more than one
department? Which ones?
2.3.2 Is the service or application accessed by faculty/staff of more than one
department? Can you define the group?
2.3.3 Is the service or application accessed by students?
2.3.4 Would the loss or interruption of this service negatively impact standard
University operations?
2.3.5 Would the loss, interruption, of compromise of this system have the potential
to negatively impact the public perceptions of the University?
2.4 Is the service or application dealing with restricted data2?
1 Enterprise Systems Policy - http://its.uncg.edu/Policy_Manual/Enterprise_Systems/
2 Data Classification Policy - http://its.uncg.edu/Policy_Manual/Data/default.aspx
10/1/2014 PAGE 1 OF 3 Security Risk
Assessment
Template Version 2.0

2. Security Risk Assessment
2.4.1 What applicable law/regulation is applicable?
2.4.2 How sensitive is the data?
2.5 Is the application using University credentials3?
2.6 Who are the target users of the service/application?
2.6.1 What would be means of restricting the service/application to that target
community?
2.6.2 Who is making modifications in the data?
2.6.3 How is the access authority managed?
2.7 What connections does the system/application have to other systems?
2.8 Does the confidentially, integrity, and availability of the data matter to the users of
the system?
2.9 What known risks are there associated with the application/service/system?
Beyond the standard physical access, network and web server specific risks:
3. ASSUMPTIONS
4. SUMMARY
5. SIGNATURES
The signatures below certify that the Project Manager has met with and reviewed this document with
the individuals below and the information contained herein is accurate.
3 Account Management Procedure -
http://its.uncg.edu/Technology_Procedures/Acceptable_Use/Account_Management/
10/1/2014 PAGE 2 OF 3 Security Risk
Assessment
Template Version 2.0

3. Security Risk Assessment
Name Role/Title Signature Date
Chuck Curry
Director, ITS
Technical Planning
and Security
Project Manager
Client
ITS AVC
OR
UNCG Client:
Name Title Signature Date
UNCG ITS Associate Vice Chancellor:
Name Title Signature Date
UNCG Information Technology Services:
Name Title Signature Date
Director, ITS Technical
Planning and Security
10/1/2014 PAGE 3 OF 3 Security Risk
Assessment
Template Version 2.0