Carnegie Mellon University

Security Assessment Process

The Information Security Office has created a simple process around security assessments to provide clarity and consistency.  The process is as follows:

  1. Complete the Guidelines for Data Protection Self-Assessment Spreadsheet, answering all questions as applicable.
  2. Contact ISO at
  3. ISO accepts the project
  4. Security Assessment Questionnaire is completed by the customer
  5. Scoping/Kick-off meeting is held.  The goal of the Scoping/Kick-off meeting is to determine what type of assessment is appropriate, the scope of the assessment, a timeline for completion and contact information.  A Statement of Work is produced as a result of this meeting and is signed by ISO and the customer.
  6. Assessment is scheduled (project end date also noted)
  7. Assessment is performed during agreed upon times.  ISO will remain in contact with the customer throughout the assessment.  In the event that ISO finds vulnerabilities that present an immediate security risk, the finding will be immediately communicated to the customer.
  8. Assessment report is produced and reviewed internally by ISO staff
  9. Assessment report is distributed to customer and review meeting is scheduled
  10. Wrap-up meeting is held where detailed findings are presented
  11. ISO and customer sign-off on results

This process is also illustrated in the following diagram.

Sponsor Initiated Security Assessment Process
Click for an enlarged view