Security Planning Assessment (SPA) Process Guidance

The Security Planning Assessment (SPA) is Yale's process to highlight and manage cybersecurity risk through compliance with the MSS.

SPA Process Overview

The goal of this process is to highlight cybersecurity risk and manage this risk through compliance with Yale’s Minimum Security Standards (MSS).  The Information Security Office (ISO) will act as an advisor providing guidance throughout the process.  

What's involved in the SPA process?

The table below outlines the activities that will take place as part of the SPA process.

 

Phase Activity Who is responsible to complete this step Required for onsite system Required for vendor-hosted system
1 Obtain IT support Requestor Yes Yes
Determine risk classification Requestor Yes Yes
Review AI guidelines Requestor Yes Yes
Complete MSS review Requestor Yes Yes
2 Submit SPA Request Form Requestor Yes Yes
ISO advisory consultation ISO, Requestor Yes Yes
3 Finalize exception requests ISO, Requestor Yes
(if needed)		 Yes
(if needed)
Vulnerability scans and remediation ISO, Requestor Yes No
Third Part Risk Management (TPRM) assessment ISO, Vendor No Yes
Data Addendum, Business Associates Agreement (BAA) Requestor, Procurement No Yes

 

Steps to Complete in the SPA Process

 

Phase 1: Risk Classification and MSS Review

  • Contact your IT support provider first.

    Please see the Campus IT Support webpage. The entire SPA process is technical in nature.  If you are not someone who understands IT and cybersecurity issues, work with your IT Support provider to complete the SPA process.

  • Classify your IT system as Low Risk, Moderate Risk, or High Risk.  

    For more information, please see the Risk Classification Guideline.

  • Review the Yale University AI Guidelines for Staff page and submit an AI project request if your system involves AI (e.g., machine learning, deep learning, large language models, etc.).

    If you are unsure if your system uses AI, contact your IT Support Provider or vendor.

  • Review and determine the IT System’s alignment with the MSS. This review will look differently for onsite versus vendor-hosted systems. Not all MSS requirements will apply to a given system; to help determine which are relevant to your system, please use the MSS Calculator.

    As part of the SPA process, requestors will be asked to attest that the IT System meets all relevant MSS requirements and that any gaps have been addressed through the exception request process.

    Do not send the MSS to a vendor. The vendor will complete a separate third-party risk assessment questionnaire.

    1. Use the MSS Calculator to generate the relevant requirements for your system. The MSS Calculator will generate a list of the requirements (which may be downloaded as a CSV file) based on the system’s type, risk classification, and external obligations.
       
    2. Review the requirements to determine which are applicable to the IT System. You should be able to (very briefly) note the reason(s) a requirement does not apply. An example of a requirement which may not be applicable is training for third parties (YALE-MSS-11.2).  If only Yale users will use the system, this requirement does not apply.
       
    3. Determine which of the applicable requirements are handled by Yale or the system vendor, if there’s a vendor. For systems maintained by a third-party (e.g., systems hosted by a vendor in their cloud), the ISO will assess the vendor by administering a Third Party Risk Management (TPRM) questionnaire. Do not send the MSS to the vendor.
       
    4. Submit an exception request for those requirements you aren’t able to meet.

    An option to help with your MSS review is the Excel MSS Review Workbook. This is one way to manage the information involved in the review.  Other approaches are certainly possible!  There is no obligation to share this workbook with the ISO.

 

 

Phase 2: Intake and Triage

  • Complete the SPA Request Form. This step will notify the ISO of your request and places it into a queue to be processed.

    The SPA request form will ask the following questions: 

    • List the contact for this assessment, the purpose of the system, and the components of the system.
    • What is the risk classification of the IT system?
    • Did you read and understand the Yale Minimum Security Standards (MSS) and does the IT system adhere to the MSS?
    • Do you have a plan to adhere to the MSS for the life of the system?
    • Have you submitted any exceptions to the MSS through the exception process?
       

    Guidance regarding the questions above, as well as examples of how to answer them, are included on the SPA Request Form.

    Once the form is completed, a member of ISO Risk & Compliance team will contact the requestor to advise next steps.

  • Following the completion of the MSS Review and SPA Request Form submission, the ISO will:

    • Send a brief questionnaire about the IT system which covers the following.
      • Contact information (Vendor / Yale Procurement)
      • System integrations
      • Network exposure
      • User profiles
      • Authentication
      • Data
      • Research project information (if applicable)
    • Schedule a short (~30 minute) discussion to review responses to the questionnaire.

 

 

Phase 3: Advanced Assessment

  • An exception request is required for:

    • Any MSS requirement that cannot be met.
    • Any critical, high, or medium severity vulnerability identified that cannot be addressed in 30 days.
       

    See the Request an Exception page for additional information on exception requests or to start a new exception request.

  • This step only applies to onsite systems.

    All Yale-hosted IT systems will go through the vulnerability scanning process, which may include scans of:

    • Hosts
    • Applications
    • Containers
    • Cloud assets
       

    Vulnerabilities must be addressed according to the guidance in the MSS.  For vulnerabilities that cannot be addressed, the exception request process must be followed.

  • This only applies to vendor-hosted systems.

    The third-party risk assessment process is what the ISO uses to determine if a vendor has a reasonable security program in place to protect Yale data.

    See the Third Party Risk Management (TPRM) Service page for additional information on the third party risk assessment process.

  • This only applies to vendor-hosted systems.

    As part of the SPA process, the ISO will ensure that the following agreements are in place with vendors.

    • Data Addendum: This agreement is handled through the Procurement Office and covers items related to Yale’s cybersecurity interests.
    • Business Associate Agreement: This agreement is handled through the HIPAA Privacy Office and outlines responsibilities if the University shares its HIPAA data with a third party.  Additional information can be found on the Tracking & Management of Business Associates page of Yale's HIPAA webiste.

Tips to Expedite the SPA Process

  • Engage your IT support provider for assistance.
  • Complete your MSS review and understand how your IT system aligns with the MSS before you complete a SPA request.
  • Submit exception requests for gaps related to the MSS before creating the SPA Request Form.
  • If Yale data are being stored by a vendor, inform them that they need to complete the following requirements:
  • Contact information.security@yale.edu with any questions before a SPA is submitted.

Need more help?

Please email information.security@yale.edu for additional assistance.