The first step in the risk assessment process involves identifying the protected information collected, used, and maintained by the University, the amount of this information, how this information is stored (both electronically and in hard copy), the security measures in place, who has access to this information, and other departments or units that use or rely on this information. During the past two months, divisional information technology coordinators and departmental technicians have completed much of this work.

Each department or unit will also assess on a scale of high-medium-low the information’s confidentiality (What would the impact be if the information was compromised? or How regulated is the information?), integrity (How important is the accuracy/reliability of the information?) and availability (How much of the department’s ability to function depends on access to the information?).

While determining integrity and availability is department-specific, social security numbers, driver’s license numbers, state identification numbers, grades or documents related to academic performance, personal financial information such as bank account, insurance and credit card numbers, performance evaluations or documents related to employee performance, income and credit histories, home addresses and telephone numbers, and medical information in every instance rank “high” on the confidentiality scale. This list is not exhaustive.

Identification and Assessment of Risks

The second step in the risk assessment process requires departments to identify the threats to the electronic and hard copy information they use. Threats may be deliberate, such as theft and mischief, or accidental, such as power outages, hardware failure or natural disasters. Threats can result in destruction, disclosure, removal, corruption of information or interruption of University operations. In addition to often cited threats such as theft, computer viruses, fire and hacking attempts, less obvious risks include unmanaged software installation, unavailability of key staff, attempts by untrained staff to correct a problem, reliance on outdated on non-replaceable equipment, and loss of facilities.

After identifying threats, departments will then assess on a scale of high-medium-low the probability that a threat will occur. Departments might find the following questions helpful when reviewing vulnerability:

• The greater the number of individuals with access, the more vulnerable the information.
• The greater the public’s access to the location where the information is used or stored, the more likely a threat will occur.
• The more places and ways the information is stored, the greater the vulnerability.
• The greater the amount of information stored, the greater the vulnerability.
• The more “interesting” the information, the greater the vulnerability.
• The more ways to access the information, the more likely a threat will occur.
• The more potential threats, the greater the vulnerability.

Implementation of Appropriate Risk Control Measures

Once the protected information and threats have been identified and assessed, the department or unit can then prioritize its information security efforts and determine the appropriate level of protection. The University will provide guidance regarding what physical, systems and administrative safeguards are required based on the level of confidentiality, integrity, availability and vulnerability. Departments and units will then be responsible for implementing the appropriate recommendations, or changing how they collect, use or maintain information.

IT Download Home