UCI Information Security Risk Assessment Questionnaire


Security Risk Assessment Questionnaire - v1.5 (Word)

Security Risk Assessment Questionnaire LITE - v1.5 (Word)

Supplemental Resources:

Application Security Checklist - v1.0 (Word)

SRAQ User Guide


SRAQ Changelog

What is this tool?


This tool allows you to answer the question, "Am I doing enough to secure my system?"

At a minimum, use the 20 controls as a benchmark. For higher risk systems, use the detailed control guidance to ensure a robust and thorough analysis of security meaures.

Reviews and Audits

We've been told that there is inconsistency in both the security review and internal audit process. This tool helps standardize the process so there will be no surprises.

Regulatory Requirements

While each data security compliance framework, such as PCI or FISMA or HIPAA, will always have independent requirements, our philosophy is security is more effective when it is holistic and based on our actual risk. We have a unified approach that we map back to the compliance requirements as much as possible.

Vendor Assessment

This tool also standardizes the approach for assessing the security posture of our information vendors. Also, anyone familiar with the requirements can review the answers.