Cybersecurity for Software Purchases (Risk Review)

If you're making a software purchase, you'll need to go through the cybersecurity risk review assessment.

Risk Management & Compliance

UW-Madison's Risk Management and Compliance team has formalized and centralized risk assessment for software purchases.

Requesting an Assessment

To streamline this process as much as possible (for us, for L&S IT, and the Office of Cybersecurity), email to start an L&S risk review assessment. Please provide at least the name of the software and the website where you can find more information about the software (i.e. typically the homepage of the software itself). Bonus points if you can link to a website with the software's terms and services listed.

(Hey, are you the IT/RSC person doing the assessment and need guidance? Check out our internal walkthrough here!)

L&S is currently requiring this process for all software purchases, so this affects every CHM software purchase.

A ticket has both a "Stage" and a "Result". When "Stage" is "Completed", that means you have filled out the form to their satisfaction, and the risk assessment will be assigned to an actual person. Note that this may take weeks.

When "Result" is "Accepted", that means an actual human is theoretically working on it. They will email you (this appears to happen outside of the OneTrust system, so your correspondence gets maybe manually copied into the ticket?) with any questions.

I was unable to find documentation on the overall workflow, but here is a PDF of the questions that the workflow will ask.

Current Software Assessments

Pending software assessments are in bold.

Table of Risk Assessments submitted by CHM
Name Date of assessment Full process? CHM Contact Study/Team using Risk level and report Notes
MaxQDA 2024.03.22 Yes Dan Grupe Dan Grupe Low
Asana Summer 2023 yes Brittany Thomson Operations/Advancement Low-Moderate
Basecamp Summer 2021 No Nate Vack RSC, most studies Moderate Recommended audits are in report
Canto Summer 2023 yes Nate Vack Advancement Low RSC has copy of full risk review report & mitigation strategy
CANTAB Spring 2022 No Dan Fitch MIDUS Low Recommended do not use machine for anything else
Canva Fall 2022 No Julia Lopez de la Cruz Loka Low Mitigations included in document
Cloud Research Fall 2021 Yes Christy Wilson-Mendenhall Christy W-M/Measures Low
Dedoose Spring 2022 ? Tawni Tidwell Tawni/Exam CRP? Low
Followmee Fall 2021 Yes Dan Grupe BAM, Dan G Moderate
HealthyMinds app Fall 2021 No Dan Fitch Lots Low Susan Weier said it's fine if the IRB says it's good
iStock Fall 2021 Yes Lori Vavrus Communications Low
NIH Toolbox Summer 2022 No Dan Fitch AFCHRON Medium
MPlus Winter 2021 Yes Matthew Hirschberg Matthew Hirschberg Low Summer 2023 Yes Dan Grupe & Nate Vack Emogo? Moderate Mitigations included in document Paused in summer 2021 Dan Fitch None Replaced by MIT app in BeWell
Prolific Summer 2021 Yes Corrina Frye, Roxanne Hoks BeWell, BAM Low Re-purchased for BAM in spring 2022 without a new report because usage will be similar
Quickbooks Online Fall 2022 No Brittany Thomson Admin team Moderate Mitigations included
Quicken Summer 2022 No Debra Dawidziak Admin team Low
SurveyAnyplace Review, 9/13/21 Yes Matthew Hirshberg Matthew Hirshberg ? Report has been released but not signed? Unknown, needs followup
Squarespace Summer 2022 Yes Salima Seale Comms Low
Telesage NetSCID-5 Summer 2021 Yes Lauren Gresham AFCHRON Moderate
Touchscreen Test Summer 2022 No Dan Fitch RSC Low
Twilio Summer 2021 Yes Dan Fitch AFCHRON, Simon's HMP Dosage Low
Unicheck Plagiarism Summer 2021 Yes Christy Wilson-Mendenhall Christy W-M/Measures Low Use case involved de-identified data
Weebly February 2023 Yes Susan Huber Susan Huber Low Design and host a student organization website
Xming Summer 2022 Yes Ty Christian RSC Low to moderate Used to access X11 servers
Yarooms Spring 2022 Yes Admin CHM Low
Zendesk Spring 2022 Yes Ty Christian RSC Low

Prohibited Applications

Due to Executive Order 184, the following specific applications are prohibited:

  • TikTok
  • WeChat

And the following vendors are prohibited:

  • Huawei Technologies
  • ZTE Corp
  • Hytera Communications Corporation
  • Hangzhou Hikvision Digital Technology Company
  • Dashua Technology Company
  • Tencent Holdings
  • Alibaba
  • Kaspersky Lab

Keywordsrisk assessment one trust onetrust cyber security risk management compliance review   Doc ID135218
OwnerBrittany T.GroupCenter for Healthy Minds
Created2024-02-05 10:55:54Updated2024-05-30 12:11:01
SitesCenter for Healthy Minds
Feedback  0   0