The Security Assessment Review (SAR) process, administered by Cybersecurity Governance, Risk, and Compliance (GRC), is required whenever institution information classified as anything other than Public will be captured, stored, processed, transmitted, or otherwise managed by a third party (e.g., vendor, service provider). When ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û information is captured or stored in non-×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û information technology resources, stored in non-×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û facilities, or handled by non-×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û persons, it is subjected to unknown risks. Those who are responsible for appropriate handling of such information must understand what type of information is involved, what level of protection it requires, what the risks are to the information, and how those risks will be mitigated.
A SAR should be completed and approved by ET&S prior to requesting a contract through procurement if any of the above conditions apply.