Security Planning Assessment (SPA)

What is a SPA?

 

The Security Planning Assessment (SPA) is Yale’s simplified process to highlight and manage cybersecurity risk through compliance with the Minimum Security Standards (MSS). A SPA is required for all IT Systems accessing Yale data or operating in support of Yale’s mission.

If you need help with these IT and cybersecurity questions, please work with your Yale IT support provider (Distributed Support Providers and/or IT Partners).

If your SPA involves a vendor hosted solution, keep in mind that you should not review the MSS on behalf of the vendor and you should not send the MSS to the vendor to review.  Instead, we will work with you to have the vendor fill out a Third-Party Risk Assessment (TPRM) survey.  For vendor hosted systems, you only need to review the MSS that Yale is directly responsible for.  See below for more information on vendor hosted systems. If you have additional questions about how to handle a vendor hosted SPA, the Security Engineer assigned to your project can help.

Security is everyone’s responsibility. Use the SPA process to define your plan to operate secure IT Systems.

  • The SPA is used to:

    • Enable you to identify and understand risks related to the IT System.
    • Address gaps between the IT System's cybersecurity and the MSS
    • Determine how to meet and maintain the MSS for the lifespan of the IT System.
    • Contribute to a registry of IT Systems used for security testing.

     

    The SPA is not:

    • The Information Security Office (ISO) taking responsibility for the security of the IT System.
    • A detailed review of the security of an IT system.
    • A statement of approval from the ISO about an IT system.

The three phases to completing a SPA

  • MSS Review

    Understand and address your system’s security requirements before submitting a SPA request.
    Phase 1

  • Intake and Triage

    Request a SPA and complete an introductory consultation with the Information Security Office.
    Phase 2

  • Assessment

    Perform additional activities required to complete the SPA process.
    Phase 3

Phase 1: MSS Review

During the MSS Review phase, you will:

  1. Obtain IT support in determining applicable requirements if you are unsure about or don't know the technical information for the IT system.
  2. Determine the IT System's risk classification as either Low Risk, Moderate Risk, or High Risk.
  3. Review Yale University AI Guidelines for Staff and submit an AI project request if the IT System involves AI (e.g., machine learning, deep learning, large language models),
  4. Review the MSS and understand how the IT System aligns with them.

 

  •  

    A SPA must be completed before the purchase is made as there are elements of the process the vendor must complete. This includes a third-party vendor assessment questionnaire and a Yale Procurement data addendum. 

    Keep in mind you only need to review the MSS that Yale is responsible for. Security controls that are the responsibility of the vendor will be handled by TPRM (and you need not worry about them).

    As you review the MSS, if a vendor is responsible for a security control, you can skip it. For example, physical security is an obvious vendor responsibility. If a vendor is hosting your system, they are responsible for physical security.

    Responsibility will vary from vendor to vendor - read through the MSS and determine who is responsible for what.

    Some typical items that Yale would be responsible for in a vendor-hosted system may include:

    • User account and authorization management
    • Single Sign On (SSO) and Multifactor Authentication (MFA) integrations
    • Integrations with other Yale systems

  •  

    Qualifying the system with matching security baseline requirements is essential.

    The suggested approach to reviewing the MSS is:

    1. Use the MSS Calculator to generate the relevant requirements for the target system. The MSS Calculator will generate a CSV list of the requirements based on the system’s type, risk classification, and external obligations.
    2. Review the requirements to determine which are applicable to the IT System.  An example of a requirement which may not be applicable is training for third parties (YALE-MSS-11.2). If only Yale users use the system, this requirement does not apply.
    3. Submit MSS exception requests for the requirements that are not being met.

    Please do not send the MSS to vendors.

    A tool we provide for completing the MSS Review is the MSS Review Workbook. This workbook is just one way to manage the information involved in an MSS review.  Other approaches are certainly possible!  There is no obligation to share this workbook with the Information Security Office.

     

    Download the MSS Review Workbook          Learn more about applying the MSS

Phase 2: Intake and Triage

During the Intake and Triage phase, you will:

  1. Complete the SPA Request Form.
  2. Work with the Information Security Office (ISO) to complete an initial advisory consultation.

Request a SPA

Phase 3: Assessment

During the Assessment phase, you will:

  1. Provide an attestation regarding the IT System's adherence to the MSS.
  2. Work with ISO to:
    • Complete the exception request process, if necessary.
    • Remedy vulnerabilities identified as part of the vulnerability scanning process (for systems installed onsite or in a Yale-owned/contracted space). 

During this phase, for systems installed in a vendor’s cloud environment:

The final phase of the SPA process depends on the IT System’s risk classification and type.  If the IT System is Low Risk, the ISO may determine this phase is not needed.

For additional information on each of the phases in the SPA process, please visit our Security Planning Assessment (SPA) Process Guidance webpage.

Frequently Asked Questions

  • Completing a SPA ensures IT Systems meet the MSS and operate securely. The MSS help secure Yale’s cybersecurity footprint and the delivery of its mission.

    Preparing for and completing the SPA process is also an opportunity to:

    • Review your plan to meet and maintain the MSS for the IT System.
    • Contribute to a registry of IT Systems used for security testing.
    • Identify and understand the risks the IT System brings to the University.

  •  

    Request a SPA when any of the following conditions apply:

    • A new Yale IT System is being built or purchased.
    • An existing IT System has not completed the SPA process.
    • A significant change to hardware, software, hosting provider, or risk classification is made to an existing IT System which has a completed SPA.
    • When sufficient time has passed since an IT System’s last SPA:
      • 2 years for High Risk systems
      • 3 years for Moderate Risk systems
      • 4 years for Low Risk systems

  • Anyone can request a SPA. However, the three phases of a SPA are technical in nature. If you are not someone who understands IT and cybersecurity issues, work with your IT Support provider to complete the SPA process.

  • The length of time that it takes to complete a SPA depends on a number of factors. A SPA cannot be finalized until:

    • MSS review is complete.
    • Exception requests are processed.
    • Third party risk assessment is complete (for vendor-supported systems).
    • Business Associate Agreement and/or the Data Addendum is executed (for vendor-supported systems).
    • Vulnerability scans and remediation are complete.
    • MSS attestation is provided.

  • The ISO cannot complete the MSS review of an IT system. This is the responsibility of the individual who initiates the SPA. We are happy to assist and answer questions.

  • The ISO performs the following roles in the process:

    • Guides SPA initiators through the process.
    • Answers specific questions related to the MSS.
    • Performs the third-party risk assessment (for vendor-hosted systems).
    • Completes vulnerability scans (for onsite systems).
    • Guides individuals through the exception request process.

  • The ISO has published guidelines on data classification and risk classification. Questions about how data should be classified according to the established guidance should be brought to the data owner for the IT System.

Need more help?

Supporting resources for completing the SPA: 

For additional questions about the SPA, please email information.security@yale.edu.