What is a Security Design Review (SDR)?
A Security Design Review (SDR) is a process to ensure the security of Yale IT Systems. Yale IT Systems must meet and maintain the security requirements for the risk they carry. Security requirements for Yale IT Systems include:
- Yale's Minimum Security Standards
- External Obligations (i.e. HIPAA, PCI, FERPA, and Data Use Agreements)
- Other applicable Yale IT and security policies
Why do I need a SDR?
A SDR will highlight areas that put Yale Data or IT Systems at risk. Yale policy requires a SDR for all high and moderate risk IT Systems. An SDR is not required for low risk IT systems hosted in the cloud. Low risk IT Systems hosted by Yale must go through a consolidated SDR.
When should I request a SDR?
Request a SDR when any of the following conditions apply:
- You are building or purchasing a new IT System that will access Yale Data. Access can mean it will create, store, transmit, or receive Yale Data.
- A significant change is being made to a current Yale IT System. This includes, but is not limited to a change in:
- System classification (e.g. a moderate-risk system is now accessing high risk data)
- Access to the technology
What do I need to know to submit a SDR request?
Before submitting a SDR request, please have the following information ready:
- The risk classification of the Yale IT System.
- The contact information for those responsible for supporting the IT System. This can be Yale ITS, Local IT Support, or a third-party vendor.