Several IT services will be unavailable early on Sunday, Dec. 7.

Learn more
Skip to main content

Information Security

Information Security Risk Management–Frequently Asked Questions (FAQ)

Information Security Risk Management—Frequently Asked Questions (FAQ)

Getting started

When should I engage the Information Security Risk Management office?

As early as possible—ideally during planning or vendor selection—so we can identify risks before contracts are signed or code goes live. Early engagement helps avoid delays later.

What types of engagements require a risk assessment?

Any engagement involving third-party vendors, cloud services, new software tools, or sensitive data (e.g., student records, health data, financial systems) should be assessed. When in doubt, contact us—we’d rather double-check than miss something important.

Assessment Process

How long does a Third-Party Risk Assessment take?

Our standard Service-Level Agreement (SLA) is 7–20 business days, depending on data sensitivity, risk complexity, and vendor responsiveness. Submitting your request early gives us time to keep you on schedule.

What information do I need to provide?

We’ll need:

  • A brief description of the project or vendor
  • Data classification (Restricted, Confidential, Internal, or Public)
  • Hosting details (e.g., cloud vs. on-premises)
  • Any vendor-provided security documentation (SOC 2 report, HECVAT, SIG questionnaire, etc.)
Why do you ask for security certifications or documents from vendors?

Security certifications like SOC 2, ISO 27001, or completed questionnaires help us assess the vendor’s controls and identify potential weaknesses. This saves time and allows for more accurate risk analysis.

Does the Information Security Risk Management office approve or deny projects?

No. We provide risk-based insights and recommendations. Final go/no-go decisions—and acceptance of any remaining risk—remain with your department or business unit.

Can I still move forward if risks are identified?

Yes, provided your department formally acknowledges and accepts the remaining risk. We document these risks and may recommend additional controls, ongoing monitoring, or scheduled reassessments.

After the Assessment

What happens after the assessment is complete?

You’ll receive a formal report outlining identified risks, suggested mitigations, and a residual risk score. If action is needed, we’ll track it through follow-up reviews or recertification as appropriate.

Where can I track my request?
  • If you submitted via ServiceNow, you can track progress and communicate with our team through the Rutgers IT Service portal.
  • If you used the Work Intake Form, updates will be shared through email as your request moves through our queue.

Additional topics

Are there fees for assessments?

No. All core risk assessment services are provided at no cost to Rutgers departments.

What if a vendor “fails” the assessment?

We don’t issue pass/fail grades. We highlight risks and provide recommendations. If risk cannot be mitigated to an acceptable level, we’ll help you evaluate alternative options or protections.

How does the Information Security Risk Management office classify data?

We follow Rutgers’ Information Classification Policy, which includes:

  • Public – General access data
  • Internal – Operational data not intended for public distribution
  • Confidential – Sensitive business data (e.g., HR, finance)
  • Restricted – Regulated data like SSNs, health records, or financial aid data
What are vulnerabilities in cybersecurity?

A vulnerability is a weakness or flaw in a system, application, network, or physical environment that an adversary can exploit to gain unauthorized access, disrupt operations, or compromise data. These weaknesses can be found in software code, hardware configurations, physical security controls, or even human processes.

What is the CISA KEV list?

The CISA KEV list refers to the Known Exploited Vulnerabilities (KEV) Catalog maintained by the Cybersecurity and Infrastructure Security Agency (CISA). It includes vulnerabilities that are actively being exploited by malicious actors in the real world.

What is the CVSS Scoring System?

The Common Vulnerability Scoring System (CVSS) is used to assess the severity of vulnerabilities. Scores range from 0.0 to 10.0, with higher scores indicating more severe vulnerabilities.

How does Rutgers use CVSS scores?

Rutgers utilizes vulnerability management tools that apply the Common Vulnerability Scoring System (CVSS) to prioritize remediation actions. Vulnerabilities are categorized as Critical, Severe, or Moderate based on their CVSS scores.

What is the NIST CVE Classification System?

The National Institute of Standards and Technology (NIST) maintains the National Vulnerability Database (NVD), which uses the Common Vulnerabilities and Exposures (CVE) system. Each vulnerability is assigned a unique CVE ID to help organizations track and manage them.
Explore the CVE system:
NIST National Vulnerability Database (NVD)
CVE Program Official Site

Can’t find what you’re looking for? Contact Us and we’ll respond within one business day.