Download the complete service offering docx format of risk_assessment_services_definition.doc


1. Description of Service

MassIT provides Technical Risk Assessment services to those agencies wishing to deploy applications both internal to MAGnet as well as internet facing.  This service uses the NIST Special Publication 800-30 "Risk Management Guide for Information Technology Systems" as its primary reference framework.  A written report is produced.

This report typically includes the following elements:

  • Executive Summary
  • Technical Architecture Description
  • Threat & Vulnerability Identification
  • Controls
  • Likelihood Determination
  • Impact Analysis
  • Risk Determination
  • Recommendation
  • Additional Information
  • Jurisdiction Statement
  • References

Support services include:



2. Service Targets/Hours of Availability

Initial reviews will be completed within 15 business days.  If a customer's submission for an assessment is found to be non-Enterprise Policy compliant OR is found to be insecure, additional time will be involved.  The amount of additional time will be dependent upon the complexity of the issue(s) identified and available mitigations.

The MassIT Security Office will provide assistance to the customer with identifying potentially viable mitigation strategies to achieve compliance.

Service Requirement


Service AvailabilityService availability hours are 8:30 AM - 5:00 PM Monday through Friday, excluding holidays.

3. Service Reporting

The following reporting information is provided to customers as part of this service: A written Risk Assessment is completed and provided to the customers.



Reporting Interval

Risk Assessment ReportThe breadth and depth of these reports are specific to each assessment.  The standard report would normally include the basic elements enumerated in "Description of Service".Ad hoc - specific to each Risk Assessment request.

4. Service Requests

COMiT Service Request* DescriptionLead Time-Business Days
Conduct a Risk AssessmentRequest for assistance in assessing system risks relative to: threats, vulnerabilities, controls, likelihood, and impacts.5 Days

*For new service requests only. To manage existing requests, please log into COMiT.

5. Customer Responsibilities

Customers and their business partners are expected to develop applications in conformance with Enterprise Policies and Standards while also adhering to stipulations of Executive Order 504 in their treatment of sensitive data.

Customers need to also be familiar with the ramifications of MGL Section 93 (related to Data Breach Notifications) for them should a breach of their system(s) occur.

For your convenience, you may also view a detailed list of customer responsibilities docx format of risk_assessment_services_definition.doc



6. Chargeback Rate Information

For more information on Chargeback, including an overview of the program as well as current and previous fiscal year rates, please visit our Chargeback Services webpage.

The costs pertaining to this service offering are currently funded out of Overhead. No additional detail is available for review.


Reviewed August 30, 2016
Updated October 28, 2013
Published August 14, 2009
Created April 16, 2009: Information provided by the Security Office