Protecting the UCLA Health Sciences enterprise through proactive identification, analysis, and evaluation of IT risk.IT Security Risk Management
As a crucial component of the Office of the Chief Information Security Officer, IT Security Risk Management is pivotal in advancing the organization's mission. We are dedicated to safeguarding the institution's automated information and digital assets through IT Risk avoidance, transfer, reduction, and acceptance.
Read below to learn more about and how to engage the various programs in IT Risk Management.
Third-Party Risk Management
TPRM conducts assessments against third parties to reduce the risk posed by vendors. This risk is reduced through assessment, monitoring, and contractual risk transfer. TPRM is embedded in the Hospital Procurement and Campus Purchasing processes and works collaboratively with UCLA Campus Governance, Risk, and Compliance teams.
All activity that includes a third-party requiring a contract through Hospital Procurement or Campus Purchasing must first request and obtain a successful TPRM Review using the Campus TPRM portal. Note: The TPRM portal is a shared service, and the process described above applies to all Campus, Hospital, and Health Sciences business units.
Project Risk Management Program (PRMP)
PRMP uses enterprise security policies and frameworks to identify and guide the treatment of gaps in security and compliance within the enterprise project management process. The program works closely with the Project Management Office, Program and Project Management, and DGIT Business Relationship Management to provide implementation-focused risk assessments for a portfolio of approximately 400 concurrently active projects.
Once contracts with all applicable appendices for Data Security and Business Associates are completed, and the effort is prepared to move toward implementation actively, the Risk Assessment can proceed. The Project Manager (or CRM) must engage IT Risk during the Resource Forecast to obtain an IT Risk Score and resource estimation for formal projects (NPR). Requests must be submitted directly on the DM360 Risk Assessment Intake Portal for informal projects (Non-NPR). Please note, you must use the UCLAHS Login button when logging into the intake portal.
Technical Security Risk Engineering
As experts in the field of IT security, Technical Security Risk Engineers provide highly skilled technical reviews of security controls, advise on security best practices, and consult on mitigation and remediation recommendations. Additionally, they review the architecture and design of complex technology implementations for security risk impact.
Enterprise Security Risk Assessment (ESRA)
ESRA oversees and performs project management for all enterprise security risk assessments. These include third-party enterprise-level technical security assessments, third-party quarterly penetration tests, third-party ad-hoc security and IT risk assessments, and the remediation initiatives resulting from these assessments and tests.