Cybersecurity for Software Purchases (Risk Review)
Risk Management & Compliance
UW-Madison's Risk Management and Compliance team has formalized and centralized risk assessment for software purchases.
Requesting an Assessment
To streamline this process as much as possible (for us, for L&S IT, and the Office of Cybersecurity), email help@chm.wisc.edu to start an L&S risk review assessment. Please provide at least the name of the software and the website where you can find more information about the software (i.e. typically the homepage of the software itself). Bonus points if you can link to a website with the software's terms and services listed.
(Hey, are you the IT/RSC person doing the assessment and need guidance? Check out our internal walkthrough here!)
L&S is currently requiring this process for all software purchases, so this affects every CHM software purchase.
A ticket has both a "Stage" and a "Result". When "Stage" is "Completed", that means you have filled out the form to their satisfaction, and the risk assessment will be assigned to an actual person. Note that this may take weeks.
When "Result" is "Accepted", that means an actual human is theoretically working on it. They will email you (this appears to happen outside of the OneTrust system, so your correspondence gets maybe manually copied into the ticket?) with any questions.
I was unable to find documentation on the overall workflow, but here is a PDF of the questions that the workflow will ask.
Current Software Assessments
Pending software assessments are in bold.
| Name | Date of assessment | Full process? | CHM Contact | Study/Team using | Risk level and report | Notes | |
|---|---|---|---|---|---|---|---|
| MaxQDA | 2024.03.22 | Yes | Dan Grupe | Dan Grupe | Low | ||
| Asana | Summer 2023 | yes | Brittany Thomson | Operations/Advancement | Low-Moderate | ||
| Basecamp | Summer 2021 | No | Nate Vack | RSC, most studies | Moderate | Recommended audits are in report | |
| Canto | Summer 2023 | yes | Nate Vack | Advancement | Low | RSC has copy of full risk review report & mitigation strategy | |
| CANTAB | Spring 2022 | No | Dan Fitch | MIDUS | Low | Recommended do not use machine for anything else | |
| Canva | Fall 2022 | No | Julia Lopez de la Cruz | Loka | Low | Mitigations included in document | |
| Cloud Research | Fall 2021 | Yes | Christy Wilson-Mendenhall | Christy W-M/Measures | Low | ||
| Dedoose | Spring 2022 | ? | Tawni Tidwell | Tawni/Exam CRP? | Low | ||
| Followmee | Fall 2021 | Yes | Dan Grupe | BAM, Dan G | Moderate | ||
| HealthyMinds app | Fall 2021 | No | Dan Fitch | Lots | Low | Susan Weier said it's fine if the IRB says it's good | |
| iStock | Fall 2021 | Yes | Lori Vavrus | Communications | Low | ||
| NIH Toolbox | Summer 2022 | No | Dan Fitch | AFCHRON | Medium | ||
| MPlus | Winter 2021 | Yes | Matthew Hirschberg | Matthew Hirschberg | Low | ||
| Otter.ai | Summer 2023 | Yes | Dan Grupe & Nate Vack | Emogo? | Moderate | Mitigations included in document | |
| Pipe.io | Paused in summer 2021 | Dan Fitch | None | Replaced by MIT app in BeWell | |||
| Prolific | Summer 2021 | Yes | Corrina Frye, Roxanne Hoks | BeWell, BAM | Low | Re-purchased for BAM in spring 2022 without a new report because usage will be similar | |
| Quickbooks Online | Fall 2022 | No | Brittany Thomson | Admin team | Moderate | Mitigations included | |
| Quicken | Summer 2022 | No | Debra Dawidziak | Admin team | Low | ||
| SurveyAnyplace | Review, 9/13/21 | Yes | Matthew Hirshberg | Matthew Hirshberg | ? | Report has been released but not signed? Unknown, needs followup | |
| Squarespace | Summer 2022 | Yes | Salima Seale | Comms | Low | ||
| Telesage NetSCID-5 | Summer 2021 | Yes | Lauren Gresham | AFCHRON | Moderate | ||
| Touchscreen Test | Summer 2022 | No | Dan Fitch | RSC | Low | ||
| Twilio | Summer 2021 | Yes | Dan Fitch | AFCHRON, Simon's HMP Dosage | Low | ||
| Unicheck Plagiarism | Summer 2021 | Yes | Christy Wilson-Mendenhall | Christy W-M/Measures | Low | Use case involved de-identified data | |
| Weebly | February 2023 | Yes | Susan Huber | Susan Huber | Low | Design and host a student organization website | |
| Xming | Summer 2022 | Yes | Ty Christian | RSC | Low to moderate | Used to access X11 servers | |
| Yarooms | Spring 2022 | Yes | Admin | CHM | Low | ||
| Zendesk | Spring 2022 | Yes | Ty Christian | RSC | Low |
Prohibited Applications
Due to Executive Order 184, the following specific applications are prohibited:
- TikTok
And the following vendors are prohibited:
- Huawei Technologies
- ZTE Corp
- Hytera Communications Corporation
- Hangzhou Hikvision Digital Technology Company
- Dashua Technology Company
- Tencent Holdings
- Alibaba
- Kaspersky Lab