Impact Assessment Tool

This tool is used to determine the impact level of IT systems/services. The impact level (high or low) of a proposed IT investment or project directs the process by which the project or investment is reviewed in by IT Governance.


There is no need to submit this form, it is only used to generate the impact and security review requirements for an investment.


Please refer to go.vcu.edu/itgov for more information or contact itgov@vcu.edu

What is the estimated business impact of this new solution/service (check all that apply):

Select or enter value
Caret IconCaret symbol

What is the estimated financial/resource impact of this new solution/service (check all that apply):

Select or enter value
Caret IconCaret symbol

What is the estimated user impact of this new solution/service (check all that apply):

Select or enter value
Caret IconCaret symbol

What is the estimated risk of failing to procure this new solution/service (check all that apply):

Select or enter value
Caret IconCaret symbol

Unsure or do not know?

If you are unsure how to answer, please reach out to your assigned IT Consultant for your department, or the IT Governance team at itgov@vcu.edu to assist you further.

Use the data classification tool (right click this link to open in new tab) to determine what data classification the data is that will be stored/transmitted/processed in this solution/service.


Select the identified data classification below:

Select
Caret IconCaret symbol

Full Security Review

Category I data has the highest sensitivity. A full security review is required for systems processing Category I data.


The following documentation is required from vendors:



If they do not have a HECVAT, the following documents will also work:

  • SOC 2 Type 2 Report
  • Security documentation such as a Business Continuity Plan (BCP), Disaster Recovery Plan (DRP), Information Security Policy, etc.


If this technology will be processing credit card or other financial transactions, the following documentation is also required:

Limited Security Review

Category II and III data is medium to low sensitivity. A limited security review is recommended for systems processing Category II and III data.


The following documentation is requested from vendors:


If they do not have a HECVAT, the following documents will also work:

  • SOC 2 Type 2 Report
  • Security documentation such as a Business Continuity Plan (BCP), Disaster Recovery Plan (DRP), Information Security Policy, etc.

High Impact Investment

This investment is considered a high impact investment and will go through a full IT governance review. To prepare for your governance submission, please do the following:

  1. Work with your IT Consultant to complete the IT Consultation checklist.
  2. Work with your vendor to obtain the required security documentation listed above and the vendor's Voluntary Product Accessibility Template (VPAT) which is used for the accessibility review.
  3. Submit your proposal for review using the high impact review form.

Low Impact Investment

This investment is considered a low impact investment and goes through a limited IT governance review. To prepare for your governance submission, please do the following:


  1. Work with your vendor to obtain the required security documentation listed above and the vendor's Voluntary Product Accessibility Template (VPAT) which is used for the accessibility review.
  2. Submit your proposal for review using the low impact review form.

Powered by Smartsheet Modern Logo On Light
Privacy Notice|Report Abuse