Security Reviews

What is a Security Review?

In order to remain compliant with regulations and to ensure the organization’s data remains secure, an organization needs to have a process in place to evaluate any project/application that will process, store or access sensitive data. The Security Review process is necessary in order to attempt to quantify all of the risks associated with a given system or application and to ensure that necessary controls are integrated into the design and implementation of that system or application.

It is important to engage the Information Security team early in the project review process as risk increases exponentially when potential security issues are considered after the project has gone live.

This engagement does not constitute the initiation of the actual formal Security Review; however, the initial involvement of the Information Security Team in the planning and development phase of the application/project, provides valuable resource to determine potential risk exposures and assist in design basics to obviate those exposures. Additionally, it notifies the Information Security Team of the planned application/project, so that related assets, data and platforms are identified and can be protected from cybersecurity threats at the enterprise level.

The Information Security Team liaison brings a wealth of current cybersecurity information and best practice to the planning and development phase, which can substantially reduce risk and potentially reduce costs which might otherwise be incurred to address risk after a project/application goes into production.

Additionally, this early identification and addressing of risk exposures can protect the organization’s reputation, customer and end-user privacy, and defend against potential sanctions by various oversight agencies acting under the mandate of various cybersecurity legislation and governances.

Once an application/project reaches the test and implementation phase, a comprehensive Security Review should be requested so that all residual risk can be determined and suitable compensating controls implemented. In certain instances, the Application/Project Owner can accept this residual risk with concurrence from the Chief Information Security Officer.

Once potential risks have been identified, a Security Review Assessment form will be completed and distributed to the person who requested the review. Any identified risks that can not be satisfactorily remediated or mitigated will be brought to the attention of the business sponsors, owners and executives requesting the given application/project and they will be required to sign-off signifying that they are aware of and accept said risk(s).

Security Review Process Overview

  1. Intake
    • ART Reviews (University)
    • Remedy Work Orders (Healthcare)
    • Projects
    • Requests
    • IRB
  2. Elaboration
    • Conversations
    • Questionnaires
    • Research
  3. Reporting
    • Risks
    • Recommendations
    • Requirements
  4. Remediation
    • Activities
    • Plans
    • Timelines
  5. Risk Acceptance
    • Signoff
    • Accountability

When Do I Need a Security Review?

  • Most of the time when you complete an ART review, a security review will be requested.
  • Healthcare projects will generally require a security review before going to the EHC Technical Committee Review.
  • If you are implementing a system that will contain sensitive or regulatory data e.g. FISMA, HIPAA, PCI data you will need to complete a security review.
  • If you have any questions on whether or not you need a security review, contact the OIT Security Team at security[@]emory.edu .

How to Request a Security Review

  • Log in with your Emory NetID and password
  • Complete the Form. If you need assistance answering the questions, view our knowledge base article.
  • Click 'Order Now'
  • Review your order and then click 'Submit Order' to complete the request
  • Once the order has been submitted, someone from OIT Enterprise Security will contact you for additional information