Skip to main content

Security Planning Assessment (SPA)

A Security Planning Assessment (SPA) is Yale's process for identifying and managing cybersecurity risk by ensuring IT systems meet the University's Minimum Security Standards (MSS). This page explains when a SPA is required, how to complete it using the Security Planning Assessment Help Center (SPAhc), and the resources available to guide you through the process.

Launch SPAhc

What is a SPA?

A Security Planning Assessment (SPA) is Yale’s process to highlight and manage cybersecurity risk through compliance with the Minimum Security Standards (MSS). The process requires a technical understanding of the IT system and should be completed by or in conjunction with your IT Support.

The SPA is completed using the Security Planning Assessment Help Center (SPAhc – pronounced spahk). SPAhc is a workflow tool that guides you through the SPA process from start to finish.

When is a SPA required?

A SPA is required for all IT systems that access Yale data or operate in support of Yale’s mission.

A SPA is typically completed when doing one of the following.

  • Building or purchasing a new IT system
  • Making a major change to an existing IT system
  • Revisiting an existing SPA (See Yale-MSS-1.7 for more details on when to revisit a SPA)

SPAs are required for on-premises and vendor-hosted solutions. For vendor-hosted solutions, do not send the MSS to the vendor. As part of the SPA, the Information Security Office (ISO) will analyze the vendor’s cybersecurity practices through a survey. The Yale team engaging with the vendor must still address those MSS requirements for which the University is responsible.

How do I complete a SPA?

A SPA is completed using the SPA Help Center (SPAhc) application. Because working with SPAhc is a highly technical effort, it should be handled by your IT support or with their assistance.  Through SPAhc, one is able to complete the SPA process:

  • Provide background information and determine the risk classification of a SPA’s IT system
  • Identify, review, and meet your system’s MSS requirements and external obligations
  • Request exceptions to any MSS requirements you cannot address
  • Resolve any security vulnerabilities or vendor issues identified by ISO

If you would like to request a meeting to review this process with ISO before initiating a SPA, please email information.security@yale.edu.

To begin or continue working on an existing SPA, login to SPAhc. See Creating a SPAhc account, below, If you have not already created an account.

 

  • Only Yale users can access SPAhc. Accounts are granted to individuals who provide IT support for the system or oversee one or more SPA-related groups. If you need access, please click the “Request New Account” button. A user account is obtained through the following steps.

    1.  Go to https://yaleuniversity.outsystems.app/SPA

    2.  Provide your Yale login credentials, if needed.

    3.  On the SPAhc homepage, click the "Request New Account" button.

    4.  Describe your role as an IT support provider or manager of SPA-related groups.

    5.  Once the account has been created, you will receive an email.
     

    Screenshot of SPAhc homepage highlighting Request New Account button.

Who should complete a SPA?

SPAs should be completed by the technical support for the system. If you are not someone who understands the technical details related to cybersecurity requirements, you should work with your IT Support to complete a SPA.

While ISO is here to provide guidance and answer questions, reviewing and meeting MSS requirements is the responsibility of the IT system’s Yale team.

Frequently Asked Questions (FAQ)

SPA Process

  • Completing a SPA ensures IT systems meet the MSS and operate securely. The MSS help protect our cybersecurity footprint and the delivery of Yale’s mission.

    Preparing for and completing the SPA process is also an opportunity to:

    • Review your plan to meet and maintain the MSS for the IT system
    • Contribute to a registry of IT systems used for security testing
    • Identify and understand the risks the IT system brings to the University
  • A SPA should be completed when any of the following conditions apply.

    • A new Yale IT system is being built or purchased
    • An existing IT system has not completed the SPA process
    • A significant change to hardware, software, hosting provider, or risk classification is made to an existing IT system
    • After sufficient time has passed since an IT system’s last SPA:
      • Two years for high-risk systems
      • Three years for moderate-risk systems
      • Four years for low-risk systems
  • SPAs should be completed by the technical support for the system. If you are not someone who understands the technical details related to cybersecurity requirements, you should work with your IT Support to complete a SPA.

  • The length of time needed to complete a SPA depends on several factors.

    A SPA cannot be finalized until:

    • MSS requirements have been reviewed and an attestation is provided by the IT system’s Yale team
    • MSS exception requests are processed
    • A cybersecurity survey is complete (for vendor-supported systems)
    • Contract-related items are executed (for vendor-supported systems)
    • Vulnerability scans and remediation are complete
  • While the Information Security Office is here to provide guidance and answer questions, reviewing and meeting MSS requirements is the responsibility of the IT system’s Yale team.

  • ISO performs the following roles in the process:

    • Guides SPA initiators through the process
    • Answers specific questions related to the MSS
    • Administers the third-party risk assessment (for vendor-hosted systems)
    • Completes vulnerability scans (for onsite systems)
    • Guides individuals through the MSS exception request process
  • The ISO has published guidelines on data classification and risk classification. Questions about how data should be classified according to the established guidance should be brought to the data owner for the SPA’s IT system.

  • For SPAs that entail the use of AI (e.g., machine learning, deep learning, large language models), please review the Yale University AI Guidelines for Staff and submit an AI project request in addition to a SPA.

 

SPAhc

  • SPAhc is a web-based tool that guides users through the SPA workflow – illuminating what needs to happen and when.

    Additionally, SPAhc offers a dashboard view of relevant SPA metrics and the ability to search for, review, and copy existing SPAs.

  • SPAhc is best suited for IT support personnel. SPAhc accounts are typically administered to those who are providing IT Support to the system, or oversee one or more groups that support SPAs. If you are not a technical support provider who needs access to the SPA, please contact information.security@yale.edu.

  • Use SPAhc anytime you need to request a SPA or access information pertaining to current and past SPAs.

    • Initiate or continue a SPA
    • Step through the SPA process in a guided fashion
    • Identify and review MSS requirements
    • Submit and track MSS exception requests
    • View a dashboard of information and metrics for your SPAs
    • Search for existing SPAs
    • Copy existing SPAs
  • Navigate to SPAhc’s homepage and click the "Request New Account" button.

    Screenshot of SPAhc homepage highlighting Request New Account button.
  • Before opening a new SPA, you can check if an earlier assessment for the same system has already been completed.

    Because searches in the SPAhc Dashboard are limited to your assigned Org Unit(s), use the following process to check for existing SPAs:

    • Search the Dashboard – Search for the system using the Search functionality on the dashboard. If there’s a match, you can review and/or copy the existing SPA.
    • Contact ISO – If your search does not return a match, the SPA may reside in another Org Unit. To contact ISO: from the Dashboard click Contact Information Security Office and select SPAhc: SPA Question to request a larger search. If ISO finds the assessment, they will make a copy and assign it to you.

Need more help?

Supporting resources for completing the SPA:

For additional questions about SPAs or SPAhc, please email information.security@yale.edu.