CONFIDENTIAL. For internal use only.

Do not disclose this form to external parties when completed.

Technology Assessment Form

Part I: General Information

The technology assessment process ensures compliance with information security, privacy, data governance, and enterprise architecture policies and principles.Please complete this form if you are:

  • considering or proposing the acquisition of or changes to existing technology, or
  • required to complete a threat, risk and privacy impact assessment of an existing system,

Please note that not every question will be applicable to every system and that authors may not be able to complete every question. Unit IT coordinators and the Technology Assessment Team will assist authors and project proponents in completing this form and related documentation. If the system is related only to research, please contact the Technology Assessment Team to determine if this form is required. Submit completed form to .

Date:
Author(s) (name and title):
Business Owner (name and title):
College/Department/Unit:
Technical Manager (name and title) (if applicable):
Name of System:
Type of System:
☐Teaching and Learning / ☐Research / ☐ Administration/Operations
☐Student Experience / ☐Medical/Clinical / ☐Fundraising/Marketing
☐Other:
Target implementation date:
What are the considerations influencing the direction or timeline of this initiative?
Attach all relevant or applicable documentation:
☐ Project charter / ☐Vendor Documentation:
☐ Contract/Terms of use/End User License Agreement (EULA)
☐ Privacy policy
☐Security policy
☐Quote
☐ Research ethics application (if this is dealing with human research or personal (health) information)
☐ Internal policies or procedures related to the project that address security, privacy and access safeguards
☐ Other: ______

Technology Assessment Form

Last updatedSeptember 30, 2018Page 1 of 6

CONFIDENTIAL. For internal use only.

Do not disclose this form to external parties when completed.

Part II: Information About The System

Provide a brief description of the system – what does it do and what do you (intend to) use it for? Provide link to Vendor website if applicable.
What are the anticipated benefits of this system?
Is this a new system, change to an existing system, or replacing an existing system? / ☐ New / ☐Change / ☐Replacement / ☐unknown
If yes, will part of the system be required for historic purposes? Is there a deprecation or retirement plan for that system?
Is there an existing system on campus that provides a similar benefit or functionality? / ☐ Yes / ☐ No / ☐n/a / ☐unknown
If yes, please indicate what system has been identified and why it may not meet your needs:
Are there other Canadian universities that use this system? / ☐ Yes / ☐ No / ☐n/a / ☐unknown
If yes, please specify:
What is the life expectancy/duration of use for this system?
What are the total anticipated system costs?
How will you determine if the initiative is successful? (e.g. what are you hoping to improve?)
Is the desired benefit or functionality part of the future roadmap in a core or enterprise system? / ☐ Yes / ☐ No / ☐n/a / ☐unknown
If the desired functionality is not part of a future roadmap and there isn’t an existing system that may support this initiative, is this a common need across campus? / ☐ Yes / ☐ No / ☐n/a / ☐unknown
If so, what colleges, units or departments would benefit from this system?
Is it possible to deliver the system in stages so the business unit/department can start to benefit immediately? / ☐ Yes / ☐ No / ☐n/a / ☐unknown
Who is going to manage or administer the system? What is the operational model for the system?
What is the support model for this system? (e.g. support hours provided by the vendor and time zone, local support team, and escalation processes)
Is there a risk that failure of the system could result in personal injury, loss of life or property damage? Please describe.
What are the consequences of downtime or of the system being offline? Are there alternative modes of operation if the system is unavailable?
Does this system rely on any other system or sub-system to be operational? Please describe.
In a disaster scenario how much data loss is tolerable? Is there a target recovery time? When are peak times?
What is the plan for addressing critical security patches, updates and renewals for this system?
If the system or parts of it are delivered by a third party off-site, what is the notice period for a change of service or jurisdiction? Is this acceptable?
What is the new functionality/feature request process for this system?
What are the upgrade and release cycles for this system?
What options are available if the service provider becomes insolvent or the contract is cancelled?

Part III: Privacy, Security and Risk

A: Data Classification

Review the Data Management Policy and Governance Framework and identify the Data Trustee, Data Steward, and classification of the data impacted by this system.

Data Management Policy & Governance Framework: /

Data Trustee (name and title):
Data Steward (name and title):
Has the data steward approved the use of the data for this purpose?
Is this the system of record for this data?
What are the business users’ data quality requirements?
Data Class / Indicate all data types that will be accessed, created, used, transferred or stored by the system.
Restricted / Data of a highly sensitive or confidential nature which is intended for restricted internal use. / ☐ / Social Insurance Number
☐ / Health information, eg. patient records
☐ / Credit card or banking information
☐ / Passwords
☐ / Other
Limited / Data of a sensitive or confidential nature that is protected from general internal distribution. / ☐ / Personal information: eg. full name, address, phone numbers, date of birth, citizenship
☐ / Unique identifiers: eg. student card number, NSID, employee number, alumni card number, passport numbers
☐ / Student information: eg. course grades, academic program, education level
☐ / Employment information: eg. employment benefits, employee personnel files
☐ / Other
Internal / Data that is available to those members of the university community with a clear business need for access as part of their employment or academic duties and responsibilities. / ☐ / Student university email address or major college
☐ / Aggregated demographic information from which personal information about an individual cannot be identified or inferred
☐ / Other
Public / Data that is (or can be) generally available to all employees, the general public, and the media. / ☐ / Convocation lists or year, qualification awarded
☐ / Campus maps, parking
☐ / Student demographic data aggregated at the institutional level
☐ / Job postings
☐ / Other

Compliance Requirements

The system may need to comply with certain standards or legislation. In addition to The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP), The Health Information Protection Act (HIPA), Canada’s Anti-Spam Legislation (CASL), Payment Card Industry Data Security Standards (PCI DSS), are you aware of any other compliance standards that may apply? If yes, please describe. Examples may include Transportation Safety Board of Canada or Canadian Nuclear Safety Commission regulations.

B: Context of Use

Who is the data about? (e.g. students, staff, research participants).
What is the size of the population impacted by this system? What is the expected user base?
How is the data within the system populated? Does the university provide data to the system or service provider? Does this system use data from other sources? What is the integration model?
How is the data collected, transmitted, used, modified, stored, destroyed or repatriated? Attach a system data flow diagram if available.
Where is the data stored? On premises or off premises? What jurisdiction?
Who accesses and uses the data?
How is that access managed? What data safeguards will control or limit access by individuals, support staff and administrators?
What is the retention period required for the data? Where will it be stored/archived?
How and when will the data be destroyed?
Is the product hardware or does it include hardware that will be connected to university networks? / ☐ Yes / ☐ No / ☐n/a / ☐unknown
Is the product or system software? / ☐On-premises / ☐Vendor-hosted / ☐n/a / ☐unknown

C: Privacy

Do you have the express consent of the impacted individuals to use or disclose their information as described in Section B? / ☐ Yes / ☐ No / ☐n/a / ☐unknown
Do you have implied consent of the impacted individuals to use or disclose their information in this way? / ☐ Yes / ☐ No / ☐n/a / ☐unknown
Is it or will it be mandatory for members of the university to use this system or have their information used or disclosed in this way? / ☐ Yes / ☐ No / ☐n/a / ☐unknown
Will members have a choice to opt in? / ☐ Yes / ☐ No / ☐n/a / ☐unknown
Will members have a choice to opt out? / ☐ Yes / ☐ No / ☐n/a / ☐unknown
Will personal information be used or disclosed for secondary purposes or purposes other than the core service (e.g. advertising purposes)? / ☐ Yes / ☐ No / ☐n/a / ☐unknown
If there is a service provider, does the service provider have rights or obligations to disclose personal information? / ☐ Yes / ☐ No / ☐n/a / ☐unknown
If there is unauthorized use or disclosure of personal information, is notice provided to the university? / ☐ Yes / ☐ No / ☐n/a / ☐unknown

D: Safeguards

Please indicate and describe what physical, technical and administrative safeguards are or will be in place to protect the data. Unit IT Coordinators and Technology Assessment Team can assist in reviewing documentation and identifying safeguards.

Physical / ☐ / Facility Access Controls: / ☐ / Re-Use Procedures:
☐ / Work Station Use/Security: / ☐ / Backup Procedures:
☐ / Device and Media Controls: / ☐ / Storage Procedures:
☐ / Disposal Procedures: / ☐ / Other:
Technical / ☐ / Access Controls: / ☐ / Transmission:
☐ / Audit Controls i.e. logs: / ☐ / Anti-Virus/ Malware Detection:
☐ / Integrity: / ☐ / Transmission Security:
☐ / User Authentication: / ☐ / Encryption:
☐ / Other:
Administrative / ☐ / Access and Authorization Procedures: / ☐ / Contingency/Disaster Recovery Plan :
☐ / Incident Response and Reporting Procedures: / ☐ / Security Awareness Training:
☐ / Contractual: / ☐ / Other:

E: Risks

Please describe the potential risks of the system, indicate the likelihood, impact and type of risk, and provide mitigation strategy. Please add additional pages if necessary.

Risk / Likelihood / Impact / Type / Mitigation Strategy:
☐ / High / ☐ / High / ☐ / Reputational
☐ / Medium / ☐ / Medium / ☐ / Financial
☐ / Low / ☐ / Low / ☐ / Compliance
☐ / High / ☐ / High / ☐ / Reputational
☐ / Medium / ☐ / Medium / ☐ / Financial
☐ / Low / ☐ / Low / ☐ / Compliance
☐ / High / ☐ / High / ☐ / Reputational
☐ / Medium / ☐ / Medium / ☐ / Financial
☐ / Low / ☐ / Low / ☐ / Compliance
☐ / High / ☐ / High / ☐ / Reputational
☐ / Medium / ☐ / Medium / ☐ / Financial
☐ / Low / ☐ / Low / ☐ / Compliance

Part IV: Cloud Vendor Assessment

If this system or parts of it is provided by a cloud service provider (SaaS, PaaS, IaaS), please have the service provider complete the Cloud Vendor Preliminary Assessment Checklist (available from the Technology Assessment Team) and submit the completed assessment with this form. When requesting this information from the service provider, we may offer to enter into a template non-disclosure agreement (available from the Technology Assessment Team). DO NOT PROVIDE THIS TECHNOLOGY ASSESSMENT FORM OR INTERNAL INFORMATION TO THE CLOUD VENDOR.
☐ / Attached

For Office Use Only

Requirements:

Recommendations:

Privacy Officer: / ☐ / Proceed with recommendations / ☐ / Proceed with no recommendations / ☐ / Do not proceed / Date:
Chief Information Security Officer / ☐ / Proceed with recommendations / ☐ / Proceed with no recommendations / ☐ / Do not proceed / Date:
Enterprise Architect / ☐ / Proceed with recommendations / ☐ / Proceed with no recommendations / ☐ / Do not proceed / Date:
Approval
For Restricted Data:
Data Trustee
Name:
Date: / Chief Information Officer and AVP ICT
Name:
Date:
For Restricted, Limited and/or Internal Data:
Data Steward
Name:
Date:

Technology Assessment Form

Last updatedSeptember 30, 2018Page 1 of 6