Skip to main content

Security Planning Assessment (SPA)

Hand pointing to laptop screen

Request a Security Planning Assessment (SPA)

The Security Planning Assessment (SPA) is a new process to ensure the security of Yale IT Systems. The SPA replaces the old Security Design Review (SDR) process. The SPA ensures you have a plan to operate a secure IT System through the life span of the system. 

Request a SPA

The SPA ensures IT systems meet and maintain Yale's Minimum Security Standards (MSS).  For details on what your MSS requirements are, visit the MSS page. 
View Yale's Minimum Security Standards

The SPA is used to: 

  • Learn more about the MSS. Use the SPA to ask questions about your plan to meet and maintain the MSS on your IT System.
  • Contribute to a registry of IT systems used for security testing.
  • Identify and understand risk when using a vendor-hosted IT system.

The SPA is not: 

  • A detailed review of the security of an IT system. 
  • A statement of approval from the Information Security Office (ISO) about an IT system.
Security is everyone’s responsibility. Use the SPA to ask questions about your plan to operate secure IT Systems.

When do I need a SPA? 

Request a SPA when any of the following conditions apply: 

  • You are building or purchasing a new Yale IT System. A Yale IT System is an IT System that has access to Yale Data or operates in support of Yale’s mission. 
  • You are making a significant change to an existing IT System. This can include a change in: 

A SPA is not required when using a pre-approved platform. For a list of approved platforms/services, visit our Approved Services Table

This shows someone planning the configuration of their IT System.

How can I complete the Security Planning Assessment (SPA) process? 

You should request a SPA after the configuration of your system and before production deployment. The SPA has two parts. 

  • Part 1: Request a SPA
  • Part 2: Work with ISO to complete the SPA

Before requesting your SPA, be sure to: 

  • Read, understand, and apply Yale's MSS requirements for the system.
  • Submit any exception requests related to the MSS. An exception request is required for any MSS the IT System cannot meet. 

Part 1: Request a SPA

Part 1 begins after you:

  • Read, understand, and apply the MSS requirements for the system.
  • Submit any exception requests related to the MSS. An exception request is required for any MSS the IT System cannot meet.

Once you have done this, request a SPA using our ServiceNow form. 

Request a Security Planning Assessment (SPA)

The SPA request will ask you the following five questions: 

  1. List the contact for this assessment, the purpose of the system, and the components of the system.
  2. What is the risk classification of the IT system?
  3. Did you read and understand the Yale Minimum Security Standards (MSS) and does the IT system adhere to the MSS?
  4. Do you have a plan to adhere to the MSS for the life of the system?
  5. Have you submitted any exceptions to the MSS through the exception process?

We provide examples of how to answer the five SPA questions. View examples and guidance for the SPA questions on our SPA Questions Guidance page. 

 VIEW THE SPA QUESTIONS GUIDANCE PAGE

Shows a person remediating issues found in Part 2 of SPA

Part 2: Work with ISO to complete the SPA

Once we have received your SPA request, a member of the ISO team will contact you. In this part of the SPA, we will work with you to: 

  • Initiate a Third Party Risk Management (TPRM) review if the IT system is hosted by a vendor.
  • Address any outstanding vulnerabilities. We identify vulnerabilities through the security testing of your system.
  • Submit exception requests for vulnerabilities that cannot be addressed in a timely manner.

Need help?

Supporting resources for completing the SPA: 

For additional questions about the SPA, please email information.security@yale.edu.