Request a Security Planning Assessment (SPA)
The Security Planning Assessment (SPA) is a new process to ensure the security of Yale IT Systems. The SPA replaces the old Security Design Review (SDR) process. The SPA ensures you have a plan to operate a secure IT System through the life span of the system.
The SPA ensures IT systems meet and maintain Yale's Minimum Security Standards (MSS). For details on what your MSS requirements are, visit the MSS page.
View Yale's Minimum Security Standards
The SPA is used to:
- Learn more about the MSS. Use the SPA to ask questions about your plan to meet and maintain the MSS on your IT System.
- Contribute to a registry of IT systems used for security testing.
- Identify and understand risk when using a vendor-hosted IT system.
The SPA is not:
- A detailed review of the security of an IT system.
- A statement of approval from the Information Security Office (ISO) about an IT system.
Security is everyone’s responsibility. Use the SPA to ask questions about your plan to operate secure IT Systems.
When do I need a SPA?
Request a SPA when any of the following conditions apply:
- You are building or purchasing a new Yale IT System. A Yale IT System is an IT System that has access to Yale Data or operates in support of Yale’s mission.
- You are making a significant change to an existing IT System. This can include a change in:
- Hosting Provider
- System Risk Classification
A SPA is not required when using a pre-approved platform. For a list of approved platforms/services, visit our Approved Services Table.
How can I complete the Security Planning Assessment (SPA) process?
You should request a SPA after the configuration of your system and before production deployment. The SPA has two parts.
- Part 1: Request a SPA
- Part 2: Work with ISO to complete the SPA
Before requesting your SPA, be sure to:
Part 1: Request a SPA
Part 1 begins after you:
- Read, understand, and apply the MSS requirements for the system.
- Submit any exception requests related to the MSS. An exception request is required for any MSS the IT System cannot meet.
Once you have done this, request a SPA using our ServiceNow form.
The SPA request will ask you the following five questions:
- List the contact for this assessment, the purpose of the system, and the components of the system.
- What is the risk classification of the IT system?
- Did you read and understand the Yale Minimum Security Standards (MSS) and does the IT system adhere to the MSS?
- Do you have a plan to adhere to the MSS for the life of the system?
- Have you submitted any exceptions to the MSS through the exception process?
We provide examples of how to answer the five SPA questions. View examples and guidance for the SPA questions on our SPA Questions Guidance page.
Part 2: Work with ISO to complete the SPA
Once we have received your SPA request, a member of the ISO team will contact you. In this part of the SPA, we will work with you to:
- Initiate a Third Party Risk Management (TPRM) review if the IT system is hosted by a vendor.
- Address any outstanding vulnerabilities. We identify vulnerabilities through the security testing of your system.
- Submit exception requests for vulnerabilities that cannot be addressed in a timely manner.