What is an SDA?
Before sharing or storing university data with a new digital solution or service, the product or vendor will receive a review to assess requirements for compliance with federal, state, and 91¶ÌÊÓƵ Policies, security, privacy, and compatibility with existing technologies.
If your department is looking for a solution to solve a need or gap, please reach out toÌýPMO@odu.edu. They can assist in identifying potential existing solutions and help facilitate connections with departments using the existing solution.
The Solutions Discovery Analysis is used to meet several needs of the university, taking a data-first approach. The goals of any SDA are to:
- Conduct third-party risk management, which encompasses a review of vendors’ data security and privacy practices, breach response and notifications, compliance requirements, and 91¶ÌÊÓƵ contractual obligations.
- Ensure alignment of 91¶ÌÊÓƵ initiatives such as the OMNI initiative.
- Assess implementation, support, ongoing maintenance, and efficiency of technical solutions.
Ìý
How is an SDA review conducted?
- First, submit a.
- We will review for potential exemption criteria.
- If the solution does not meet exemption criteria,Ìýan SDA review is necessary. During the SDA review, we will:
- identify the data involved
- look atÌýbusiness use cases
- determine how the solution processes, integrates and shares data
- assess vendor security and privacy
- identify potential risks, etc.
- Identify and obtain signatures from system compliance owner, data compliance, and any other roles as identified.
- We will include the requestor in all communications throughout the review process.
- Ìý
(We do our best to keep the dashboard as up-to-date as possible, but some quantitative data may not be 100% accurate. Please email informationsecuritygrc@odu.edu with questions.)
What should I include the questionnaire?
- Ask the vendor to complete the
- Include a procurement contract, which may include:
- MSA, SaaS, SLA, etc, agreements that define the Terms and Conditions of Use, etc.
- A vendor quote/proposal that defines the scope, deliverables, term start/end dates and costs.
- Sole Source Justification if the software can’t be purchased from an approved cooperative/GPO.
- The SDA process will try to work in parallel with procurement.
Ìý
Data classification
The level of security review is dependent upon data classification:
This would include information protected under federal, state, or industry regulations and/or civil statues, where if lost may require breach notification and cause potential regulatory sanctions, fines and damages to the institution’s mission and reputation.
Types of vendor assurance to include in SDA submission include but not limited to: SOC 2 Type 2, HITRUST, ISO Certifications, PCI AoC, FedRamp
This would include data not explicitly as define in class 1, but could be regulated while posing lower risk, proprietary, or confidential information that if improperly released has the potential to cause harm to the institution, its mission, or its reputation. Examples includes proprietary and properly de-identified research information, business related email or other communication records, financial information, employee performance records, operational documentations, contractual information, intellectual property, internal memorandums, salary information, and all other information releasable in accordance with theÌýÌý(Code of Virginia 2.2-3700).
Types of vendor assurance to include in SDA submission include but not limited to: assurances from class 1, HECVAT, security white papers, external scan or pen reports
This would include data not explicitly defined in class 1-3, not regulated, and poses a lower risk to the 91¶ÌÊÓƵ or considered publicly available for unrestricted use and disclosure.
General assessment or complete exemption. Types of assurance for proprietary include HECVAT, Privacy Policy, etc.