The Security Assessment Review (SAR) process, administered by Cybersecurity Governance, Risk, and Compliance (GRC), is required whenever institution information classified as anything other than Public will be captured, stored, processed, transmitted, or otherwise managed by a third party (e.g., vendor, service provider). When USNH information is captured or stored in non-USNH information technology resources, stored in non-USNH facilities, or handled by non-USNH persons, it is subjected to unknown risks. Those who are responsible for appropriate handling of such information must understand what type of information is involved, what level of protection it requires, what the risks are to the information, and how those risks will be mitigated.
A SAR should be completed and approved by ET&S prior to requesting a contract through procurement if any of the above conditions apply.