Below you will find the steps to follow for collecting and submitting your Technology Risk Assessment Committee (TRAC) documentation for review.
Do you need to fill out and submit a TRAC Form?
The following questions can guide you (note: even answering yes on one question may trigger the need for a TRAC submission):
- Is your need technological in orientation and new to the organization?
- Does your solution require access to or will create/transmit data of a sensitive nature?
- Does your vendor (if applicable) require a contract?
- Will your solution require any sort of eCommerce transactions using a Western-owned payment processor storefront? Or other-provided payment processor?
- Does your solution require the use of Procurement Services to vet vendor candidates or engage in paying of invoices.
Receiving Information From Your Vendor
If applicable, your vendor might be the best place to start for gathering the required information, specifically information of a technical orientation.
Please send the Vendor Information PDF document (found in the left-hand menu system) to your vendor and have them send back to you completed. You will use the information in this form in the next step.
Filling Out the Form
Please use the TRAC Submission Form (found in the left-hand menu system) link to provide your solution's information.
The TRAC uses an internal forms platform called Jira to manage the submission and feedback and you will be required to use your Western credential to login.
The information in this form will be information that your team can provide in terms of name of initiative, description, impact, nature of data, etc. You will need to have your vendor provide certain components for you as questions become more technical (if applicable).
Please be as specific as possible.
There are opportunities within the form to upload attachments, etc.
There are 6 major categories of information:
- Name of initiative, reason for the solution, contact information, criticality, etc.
- Procurement Services
- Contract term length (if applicable)
- Details of licensing and/or costs of purchase (including implementation)
- Financial Services (some of this information will be provided via the vendor form)
- Details related to eCommerce requirement
- Payment processing data flow
- PCI compliancy
- Information Technology (some of this information will be provided via the vendor form)
- What type of solution is involved
- Compliancy information
- Infrastructure information
- Security controls
- Privacy (some of this information will be provided via the vendor form)
- Nature of data
- Transmission requirements
- Disclosure requirements
- Contract terms - inclusing risk management, liabilities and indemnities
- Affiliated data agreements
Submit the Form
Please fill out all of the relevant fields in the form and include the information provided from the vendor (if applicable, the sections and fields of the PDF filled out by the vendor will directly correspond to sections in the webform). Please feel free to cut and paste.
When finished, please use the SUBMIT button, you will receive a thank you message with the details of your submission. A member of the TRAC will follow up shortly thereafter to confirm all information has been received.
There may be some follow up in terms of clarification and/or to obtain other documents.
Process Following Submission
The TRAC will receive the submission and will develop a document to articulate any potential risks to the application and/or solution at Western. Depending on the complexity of the solution, the TRA Group may need to engage in a meeting to discuss in more details (the TRA Group meets every second Tuesday AM to discuss submissions).
A typical timeline associated with this process is approximately 2-4 weeks.
You will receive a report of the submitted information shortly following the conclusion of the assessment.
Published on and maintained in Cascade.