Security Review

What is a security review?
A security review is a collaborative process used to identify security-related issues, determine the level of risk associated with those issues, and make informed decisions about risk mitigation or acceptance.

When is a security review needed?
A security review should be completed for all services and service changes that may affect security prior to go-live. Security reviews can also be performed for existing services if business or technical partners determine one is needed – typically in response to security concerns or new security-related requirements.

Steps for completing a security review:

1. Brainstorming: Identify known or potential security concerns/threats/vulnerabilities

  • To be done by technical and business partners together, including IT Policy and Security. This can be by a Service Team if all parties are represented
  • The Service Manager or convener of the review should seed the list with already-identified issues prior to the larger brainstorming session
  • Note: Common issues are identified in the "seeded" version of the template (link above). Not all pre-seeded issues will apply to all situations. This template also has space to add project-specific issues in addition to the pre-seeded issues.

2. Identify existing and planned/scheduled mitigations for each issue
3. Rank likelihood (low/med/high) of the issue occurring given existing/planned mitigations, and impact if it were to occur (low/med/high)
4. Identify residual risk (low/med/high); risk = likelihood x impact
5. Identify additional possible mitigations to address residual risk, and effort/cost (low/med/high)
6. Present information to business partner or Service Sponsor for acceptance/non-acceptance of residual risk.

  • Acceptance or non-acceptance should specify any conditions or acceptance as-is.
  • Where additional action is required, identify action items, owners, and dates where possible.