Why is an assessment required?

To be compliant with various state laws (Senate Bill 475, Texas Administrative Code 202) and UT System Policy, all new and renewing cloud products and services must be assessed according to their risk, taking into account the product's criticality and the type of University data (https://security.utexas.edu/policies/data_classification) being stored/processed in the product.

What type of University data will be stored or processed?

To determine what type of assessment is required, we first identify the type of data in scope (i.e., the type of data being stored or processed) by the software in question. 

You can review our Data Classification standard here: https://security.utexas.edu/policies/data_classification, which includes the following definitions:

  • Published - University data not otherwise identified as Confidential or Controlled data, and:
    1. The data is publicly available, and
    2. Such data have no requirement for confidentiality, integrity, or availability
  • Controlled - University data not otherwise identified as Confidential, and:
    1. Data not publicly available, and
    2. Data releasable in accordance with the Texas Public Information Act (e.g., contents of specific e-mail, date of birth, salary, etc.)
  • Confidential - University data that is:
    1. Protected specifically by federal or state law or
    2. Protected by University of Texas rules and regulations
    3. Data not otherwise protected by a known civil statute or regulation, but which must be protected due to contractual agreements requiring confidentiality, integrity, or availability considerations

Will any University data be exposed to a vendor or third-party?

To determine what type of assessment is required, we first identify the type of product using the following definitions: 

  • Applications - created or maintained internally to UT; no external vendors have access to University data
  • Vendor product - maintained by a vendor or external party that has access to University data; often, these products are cloud products where data is stored on a vendor's infrastructure
  • Cloud Computing Service - The TX-RAMP program, created by DIR to provide “a standardized approach for security assessment, authorization, and continuous monitoring of cloud computing services that process the data of a state agency” defines a cloud computer service according to the National Institute of Standards and Technology (NIST) Special Publication 800-145 (https://dir.texas.gov/sites/default/files/2023-10/TX-RAMP%20Program%20Manual%203.0%20-%20Effective%2012.31.23.pdf). These characteristics define what makes a computing service a "cloud" service, and a service should meet all of these to be considered a cloud computing service and in scope for the TX-RAMP program:

1. On-Demand Self-Service: A consumer can unilaterally provision computing capabilities, such as server time and network storage, as needed without requiring human interaction with each service provider.

2. Broad Network Access: Capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms.

3. Resource Pooling: The provider's computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand.

4. Rapid Elasticity: Capabilities can be provisioned and released rapidly and, in some cases, automatically scale outward or inward commensurate with demand.

5. Measured Service: Cloud systems automatically control and optimize resource use by leveraging a metering capability at some level of abstraction appropriate to the type of service. Resource usage can be monitored, controlled, and reported, providing transparency for both the provider and consumer of the utilized service.

What type of assessment is needed?

If the only University data in scope is Published data, no security assessment is needed, but an official UT contract through the Business Contracts Office may still be needed.

If the product/service will be storing/processing Controlled/Confidential University data and the product is a:

  • Vendor product (i.e., the vendor has access to University data) - The vendor will need to complete a HECVAT assessment in Isora. If this product already has an active TX-RAMP Level 2 certification, no additional assessment is needed.
  • Cloud Computing Service (i.e., the service must meet all five characteristics listed above) - The vendor will need to contact TX-RAMP to complete a Level 2 certification: https://dir.texas.gov/information-security/texas-risk-and-authorization-management-program-tx-ramp/tx-ramp-request
  • Application (i.e., University data is not accessible to a vendor/third-party) - The application may need an achitecture review, a penetration test, and/or the owning dept may need to complete a Minimum Security Standard assessment in Isora.

Please reach out to security@utexas.edu and we can help advise on next steps.

NOTE: For applications storing/processing protected University data, units should consult with the Business Contracts Office (vpcfo.contracts@austin.utexas.edu) as a UT contract will generally be required.

How can I tell the status of my product or service?

You can view a list of assessed applications and vendor products in Isora, UT's governance, risk & compliance (GRC) platform.

TX-RAMP Assessment

TX-RAMP information is updated daily using TX-RAMP's API. The Status section will indicate a vendor's current TX-RAMP certifications. For more information on viewing vendor products in Isora: Vendor Product Inventory.

 

HECVAT Assessment

The Information Security Office (ISO) will be working throughout 2024 to build out a more complete list of applications and vendor products that have been assessed via a HECVAT in Isora and approved by the ISO, including: 

  • Vendor product/Application name
  • Statuses, including Approved by UT ISO, Business Contract in Place, Depts that have deployed the software

 

Resources