Security Planning Assessment (SPA)
A Security Planning Assessment (SPA) is Yale's process for identifying and managing cybersecurity risk by ensuring IT systems meet the University's Minimum Security Standards (MSS). This page explains when a SPA is required, how to complete it using the Security Planning Assessment Help Center (SPAhc), and the resources available to guide you through the process.
What is a SPA?
A Security Planning Assessment (SPA) is Yale’s process to highlight and manage cybersecurity risk through compliance with the Minimum Security Standards (MSS). The process requires a technical understanding of the IT system and should be completed by or in conjunction with your IT Support.
The SPA is completed using the Security Planning Assessment Help Center (SPAhc – pronounced spahk). SPAhc is a workflow tool that guides you through the SPA process from start to finish.
When is a SPA required?
A SPA is required for all IT systems that access Yale data or operate in support of Yale’s mission.
A SPA is typically completed when doing one of the following.
- Building or purchasing a new IT system
- Making a major change to an existing IT system
- Revisiting an existing SPA (See Yale-MSS-1.7 for more details on when to revisit a SPA)
SPAs are required for on-premises and vendor-hosted solutions. For vendor-hosted solutions, do not send the MSS to the vendor. As part of the SPA, the Information Security Office (ISO) will analyze the vendor’s cybersecurity practices through a survey. The Yale team engaging with the vendor must still address those MSS requirements for which the University is responsible.
How do I complete a SPA?
A SPA is completed using the SPA Help Center (SPAhc) application. Because working with SPAhc is a highly technical effort, it should be handled by your IT support or with their assistance. Through SPAhc, one is able to complete the SPA process:
- Provide background information and determine the risk classification of a SPA’s IT system
- Identify, review, and meet your system’s MSS requirements and external obligations
- Request exceptions to any MSS requirements you cannot address
- Resolve any security vulnerabilities or vendor issues identified by ISO
If you would like to request a meeting to review this process with ISO before initiating a SPA, please email information.security@yale.edu.
To begin or continue working on an existing SPA, login to SPAhc. See Creating a SPAhc account, below, If you have not already created an account.
For additional information on working with SPAhc, see:
Who should complete a SPA?
SPAs should be completed by the technical support for the system. If you are not someone who understands the technical details related to cybersecurity requirements, you should work with your IT Support to complete a SPA.
While ISO is here to provide guidance and answer questions, reviewing and meeting MSS requirements is the responsibility of the IT system’s Yale team.
Frequently Asked Questions (FAQ)
Need more help?
Supporting resources for completing the SPA:
- SPAhc Quick Guide
- SPAhc Example SPA
- SPAhc User Manual
- Exception Request Process
- Risk Classification Guideline
- Yale’s Minimum Security Standards
For additional questions about SPAs or SPAhc, please email information.security@yale.edu.