UCI Security Risk Assessment Questionnaire (SRAQ)

Security Risk Assessment Questionnaire - v1.5 (Word)

What is a SRAQ?

UCI’s Security Risk Assessment Questionnaire (SRAQ) is a self-assessment tool designed to help Unit’s understand the security posture of their systems. It helps answer the questions “is the Unit doing enough to secure its systems?” or “what are the important things the Unit should do to keep its systems safe?”

The SRAQ is broken down into 4 key parts:

  • Identifying Threats
  • Developing System Diagrams
  • Filling out Controls
  • Creating an Action Plan to remediate risks

When to Complete a SRAQ?

A SRAQ is required for any systems that process, transmits, or stores P3 or P4 data. Systems with P2 or P1 data are welcome to undergo a SRAQ, but it is not required. A completed assessment is good for 2 years. After 2 years, or if there are any major system changes the SRAQ needs to be updated.

Completed SRAQs should be sent to securityreviews@uci.edu so they can be cataloged within the OIT Security SRAQ inventory.

Facilitated SRAQ Service

Although the SRAQ has been designed as a self-assessment and does not require OIT Security involvement to complete it, there is a facilitated service available for any Units that would like assistance with completing the assessment.

If interested in a facilitated service, please fill out the Facilitated SRAQ Service Request Form. For questions about this service please reach out to securityreviews@uci.edu.


SRAQ User Guide


Application Security Checklist

SRAQ Changelog