Information Risk Assessment (IRA)

Why should an IRA be submitted?

An IRA should be submitted for a project to ensure appropriate information is provided to enable efficient decision-making by Information Stewards and to ensure appropriate security risk mitigation strategies are in place to protect sensitive data.

When should an IRA be submitted?

An IRA should be submitted when it is necessary to identify potential privacy and security risks of new or redesigned university business processes or services which use personal or other sensitive information (as defined in Policy 46 - Information Management).

In the specific case of cloud solutions which are considered high risk, and where a new implementation, a significant upgrade or a license renewal to solutions are occurring, either an IRA or equivalent review should be performed.

What stage of a project should an IRA be submitted?

An Information Risk Assessment (formerly the Privacy and Security Impact Assessment (PSIA)) for a project is ideally submitted once the scope has been defined and the answer to what problem the project is addressing is identified (typically during the initiation phase).  If the project is for a Request for Proposal (RFP) then the IRA may be filled out and submitted prior to the RFP being published.  Of course, the IRA team welcomes submissions at any point during the project's life cycle, recognizing that things may have changed on the project that now require an IRA, or that the team was not aware of the IRA process during initiation.

Who should submit an IRA?

The submission may come from a project manager, sponsor, project owner, project lead or other team member.  The submitter should be well aware of the project details so that they can disseminate information appropriately.

How do I submit an IRA?

Please refer to the Information Risk Assessment (IRA) page for specific information on the process and a link to the IRA form.