Secure UD Risk Assessment Tool

Secure UD Risk Assessment Tool

The Secure UD Risk Assessment Tool (Secure UD RAT) is a streamlined data risk assessment tool. Data risk is measured in the context of the Secure UD Data Governance & Security Program (Secure UD DGSP) using risk assessment methodologies from the National Institute of Standards and Technology (NIST) Special Publication 800-30.

Completing the Secure UD RAT is a great way for your unit to jump-start your data risk management activities or to gauge the maturity of your existing risk management plan and chart a course for the future.

The Secure UD RAT has four sections:

  1. A data survey to identify your unit's key data.
  2. A risk and control assessment to measure your unit's risk posture.
  3. A risk report card that generates immediate feedback based on assessment responses and highlights opportunities for improvement.
  4. A three-year risk management strategy for planning improvements and setting risk management goals.

The Secure UD RAT is available as part of the Secure UD Toolkit.

Download the Secure UD Risk Assessment Tool (.xlsx)

Units that handle Protected Health Information (PHI/ePHI) and are covered entities under HIPAA, or that handle cardholder information subject to the Payment Card Industry Data Security Standard (PCI DSS), should complete the Secure UD Risk Assessment Tool instead of the Secure UD CARS.

Units that are required by law or regulation to complete risk assessments should perform a full risk assessment (usually with the assistance of an independent assessor) every 3-5 years. The Secure UD RAT should be completed in the interim years to assist with continued risk management without the operational strain of a full audit.


Units are required by security controls IS 1.1.2 and IS 3.1.1 to conduct annual risk and security assessments. The Secure UD RAT, when completed, satisfies both of these requirements. Additionally, the Secure UD RAT satisfies security control IS 1.2.1, which requires the development of a risk management strategy.

University units handling especially sensitive data, especially any data subject to regulations requiring risk assessments, should undergo a complete risk assessment every 3-5 years and should complete the Secure UD RAT in the interim years. Completed Secure UD RATs must be submitted to executive leadership and to IT Security for review.


Intended audience: Unit heads
Estimated time to complete: 1-3 hours
Other materials necessary: Secure UD Data Governance & Security Program