We all experience some type of risk when we own or are responsible for something that is of value. Other people can also value that "something," and may accidentally or intentionally harm or steal it.
When it comes to our campus, the "something of value" that we care about is information, more specifically, restricted data such as personally identifiable information (e.g., social security or credit card numbers). Other campus information that may also be considered sensitive is student information, like enrollment and grades, or research data that may lead to a patent. This information has value to its owner(s), but it may also be valuable to others who may not have a legitimate need for or right to it.
How do people understand the value of the information for which they are responsible? How do they know how to protect the information? How do they identify and manage risk? It all starts with a risk assessment.
The Office of Campus Information Security (OCIS) has developed and begun using a risk assessment process. The following briefly identifies the process and introduces some of the concepts around assessing risk. If you are interested in working with OCIS to assess and mitigate risks associated with your campus department, application, service or club, please contact us.
The OCIS Risk Assessment Process:
Step 1: Letter of Engagement
The letter of engagement is an agreement between OCIS and the department that is responsible for managing the information or service. The agreement identifies:
- The scope of the assessment
- The assessment standards and tools will be used in the effort
- The content of the final report and who will receive a copy of the final report
- The responsibilities of the different individuals who are part of the assessment
- The schedule of the assessment
Step 2: Conduct the Assessment
Assessments compare the current environment of the service against some type of regulatory or industry standard. Examples of these standards are the National Institute Standard of Technology (NIST) 800 Series, the Payment Card Industry Data Security Standard (PCI-DSS) and HIPAA standards. Based on the business function of the application and the type of data, one standard may be more appropriate than another. Conducting the assessment includes:
- Completing a self-assessment questionnaire based upon a standard
- Completing network scans of the devices that comprise the service
- Completing other types of scans if appropriate
- Analyzing the results of the self-assessment and the scans for gaps in compliance to the standard.
Step 3: Report on Findings
OCIS will document the results of the assessment in a draft Risk Assessment Report. The draft will be shared with the individuals who participated in the assessment to ensure the accuracy of the findings. The final report will include:
- Findings that identify gaps with the standards
- Impact of an event if it were to occur (e.g., the release of personal information)
- The likelihood of an event occurring
- Recommendations on how to mitigate the gaps and reduce the impact or likelihood of an event occurring
Step 4: Communicate Findings
The final report is typically shared with the appropriate management, including the Chief Information Officer. This step is usually included to ensure that the current state of an application and its associated risks are known and can be appropriately addressed in other campus efforts.
Step 5: Re-Assess
The fifth, but not final, step is to conduct periodic follow-up assessments. Follow-up assessments usually occur six to 12 months after the previous assessment. The goal of the follow-up assessments is to:
- Measure level of compliance to the standard
- Consider status of the service that may have been caused by a change in the business process; change in technology; change in value of the information or resource; or a change in the standard
- Communicate status to management