Why it’s important
Services must protect sensitive information, privacy, and keep data secure. Evaluate what data your service will be collecting, storing and providing, and consult with experts about security level, privacy concerns, and risks associated with the service.
What to consider
- Does the service collect, use or share personal information about the user? How is the user notified? How does a user access, correct, or remove personal information?
- Does it collect more information than necessary? Could the data be used in ways a user wouldn’t expect?
- Have you conducted a risk assessment on the information system and the data?
- How is the service tested for security vulnerabilities? How often?
Put this principle into action
In the early stages:
- Evaluate what data the service will be collecting, storing and providing. Review the UW–Madison IT Cybersecurity Risk Management Policy and follow the Implementation Plan
- Confirm whether international, federal and state laws apply to your system (e.g., the European Union’s General Data Protection Regulation (GDPR), Family Educational Rights and Privacy Act (FERPA), the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA information coming soon), Wis Statue 134.98 (PDF)
As you progress:
- Communicate clearly with users about their data and privacy
- As the development of the service evolves:
- Conduct a risk assessment; then monitor and ensure the system is operating at the same risk level (see Step 6 of the RMF, “Monitor and Mitigate”)