Skip to main content
Reporting an issue

SPA Questions Guidance

Security Planning Assessment (SPA) Questions

The Security Planning Assessment (SPA) is a new process to ensure the security of Yale IT Systems. The SPA replaces the old Security Design Review (SDR) process. The SPA ensures you have a plan to operate a secure IT System throughout its lifecycle. 

This shows a person checking off steps to a process (i.e. the Risk Classification Process).

This page provides guidance on how to complete the five SPA questions.

Below is the list of the five SPA questions with sample answers. For more information on the SPA, please visit our SPA webpage. You can also click the button below to start a SPA request for your IT System. 

View the  SPA webpage Request a SPA

Question 1: List the contact for this assessment, the purpose of the system, and the components of the system (e.g. System Name, IP Addresses, and URLs) 


The purpose and components ensure that the scope of the IT system is well-understood. Also, this information enables Yale ISO to provide targeted security monitoring, testing and appropriate incident response.

For Yale hosted and managed IT systems, please list the IP address and hostname for every server or computing device in all environments (e.g. development, test, production), basic function, geographic location of the IT system, and list of integrations with other IT systems. For a third-party IT system, provide the name of the third-party provider, all URLs associated with the system or service, and the basic purpose of the IT system or service.

Example Answer:

Requestor Contact Information:
Jane Doe,, 203-555-0123

Description of the system:
System X will manage a research survey for an IRB-approved study. The application will be open to the internet. A web application will collect query responses and create reports. Administration of the application is restricted to researchers and to the campus network. System X is not integrated with any other application. The following data elements exist in the system: Names (First and Last), MRNs, DOB, SSN. 


Web Application and Database 



IP Addresses: (F5) (Web App (external) - Production) -
Inbound internet access to a research survey (Web App running (internal) - Production) - (Web App (internal) - Development) - (Web App (internal)- Test) -

  • Apache Tomcat v9.0.39
  • Red Hat Enterprise Linux 8
  • Collects survey data. (Database - Production) - (Database - Development) - (Database - Test) -

  • Windows Server 2019
  • Microsoft SQL Server 2019
  • Stores data from surveys

Question 2: What is the risk classification of the IT system? 


Risk classification determines the correct set of controls to apply from the Minimum Security Standards (MSS). The higher the risk, the more protection the system requires. Risk classification consists of data classification, availability requirement, and external obligations. Please consult appropriate stakeholders and follow the Risk Classification Guideline.

Example Answer:

  • Data Classification: High
  • Availability Requirement: Low 
  • External Obligations: HIPAA, SSN
  • Overall Risk Classification: High Risk, HIPAA, SSN 

Question 3: Did you read and understand the Yale Minimum Security Standards (MSS) and does the IT system adhere to the MSS?


The MSS are baseline requirements for securing Yale IT Systems based on risk. You are responsible for maintaining adherence to the MSS that apply to your system. Include the standard/sub-standard numbers for standards you cannot meet.

View Yale's Minimum Security Standards

Example Answers:

  • Yes - The system adheres to all MSS and sub-standards.

  • No - The system cannot meet MSS numbers 7.1.1 and 11.6. Exception requests submitted.

Question 4: Do you have a plan to adhere to the MSS for the life of the system?


You must have a plan to support the IT system through its operational life. Please confirm you have an operational and financial plan to maintain adherence to the MSS.

Example Answers:

  • Yes – There is an operational and financial plan in place to maintain the controls in the MSS throughout the life of the system. For third parties, contract terms provide the appropriate ongoing maintenance of the requisite security controls.
  • No – There are gaps in the financial or operational plans such that maintenance of the MSS is unlikely.

Question 5: Have you submitted any exceptions to the MSS through the exception process?


Exceptions ensure that misalignments with the MSS are handled appropriately, raising visibility of the increased cybersecurity risk to the right people, implementing reasonable compensating controls, and developing remediation plans. Submit an exception request when your system cannot meet one or more controls found in the MSS. Provide the RITM numbers associated with any exceptions. The RITM is the number associated with your exception request. You will get an email receipt with the RITM from ServiceNow once you submit your request.

Submit an Exception Request

Example Answers:

Yes - I need exceptions for:

  •   MSS: 7.1.1 and 11.6.  RITMs: RITM12345, RITM67890
  • Nessus - Plugin 35291 - SSL Certificate Signed Using Weak Hashing Algorithm (Medium Severity) - RITM54321

No - the system aligns with the MSS. No exceptions needed.

Need help?

Supporting resources for completing the SPA: 

For additional questions about the SPA, please email