UCI Security Risk Assessment Questionnaire (SRAQ)
What is a SRAQ?
UCI’s Security Risk Assessment Questionnaire (SRAQ) is a self-assessment tool designed to help Unit’s understand the security posture of their systems. It helps answer the questions “is the Unit doing enough to secure its systems?” or “what are the important things the Unit should do to keep its systems safe?”
The SRAQ is broken down into 4 key parts:
- Identifying Threats
- Developing System Diagrams
- Filling out Controls
- Creating an Action Plan to remediate risks
When to Complete a SRAQ?
A SRAQ is required for any systems that process, transmits, or stores P3 or P4 data. Systems with P2 or P1 data are welcome to undergo a SRAQ, but it is not required. A completed assessment is good for 2 years. After 2 years, or if there are any major system changes the SRAQ needs to be updated.
Completed SRAQs should be sent to email@example.com so they can be cataloged within the OIT Security SRAQ inventory.
Facilitated SRAQ Service
Although the SRAQ has been designed as a self-assessment and does not require OIT Security involvement to complete it, there is a facilitated service available for any Units that would like assistance with completing the assessment.