ITS Risk Assessment Guidelines

February 2017

Risk assessments involve continuously evaluating threats, vulnerabilities and controls, and impacts to information assets, while risk management is designing, implementing, and monitoring safeguards as are necessary to protect University IT assets. This document provides an overall framework or guidelines for performing a risk assessment to help develop a risk management plan.

Definitions:

• Risk - possibility of suffering harm or loss
• Asset - anything of value such as data, hardware, software, reputation, facilities, etc.
• Threat - anything detrimental to the University's information assets
• Vulnerabilities - weaknesses in a system, control or countermeasure that can be exploited
• Impact - the consequences if a threat is successful

The first part of a risk assessment is to classify what kinds of data the university has, and what types of protection are needed. The Information Security Program and the Confidentiality Policy define "confidential" and covered" data/information. Use the following matrix to determine the data classification.

	Confidential Data (highest level of security)	Sensitive/Critical (Moderate level of security)	Public (Low, but still some protection)
Legal Requirements Industry Regulations	Protection of data is required by law (e.g., FERPA, HIPAA, GLBA, etc.) or Industry Regulations (PCI DSS)	University has obligations to protect the data.
Reputation Risk	High	Medium	Low
Data Examples	-Health/medical -SSN -driver's license -Bank account info -Credit card numbers -income -tax returns -student records	-Information resources with access to Confidential Data -Contractual -Library transactions -Licensing restrictions -Facilities/controls;	-campus maps -personnel directory data -institutionally published data

Threats

Most threats will often fall into one of the following four categories:

• Malicious activity
• Malfunction
• Human error
• Environmental

Some specific examples include:

• Malicious activity
  • Equipment theft
  • Physical break-in
  • Social engineering
  • Eavesdropping
  • Self-replicating malware
  • Malware that requires user interaction
  • Malicious unauthorized access
  • Malicious authorized user
  • Malicious scan
  • Process violation
  • Physical attack such as vandalism, looting, etc.
• Malfunction
  • Software malfunction
  • Hardware malfunction
  • Process malfunction
  • Power disruption
• Human error
  • Equipment loss
  • Miscommunication
  • Implementation error
• Environmental
  • Fire
  • Temperature and humidity extremes
  • Flood
  • Lightning
  • Damaging wind
  • Hazardous materialsThreat Agents and Motives:

Threat Agents and Motives:

A threat agent is the operative that exercises a threat to exploit a vulnerability. A threat agent might be a human or a thing. Human threats are associated with a motive. The motive is the objective or reason for exercising a threat to exploit a vulnerability. Motives can be intentional or accidental.

• Human
  • A person or group of people who are targeting systems might have motive to:
    • Data theft
    • System compromise
    • Political/business espionage.
    • Sabotage systems
    • Sabotage business processes
  • Employees can create vulnerabilities or cause exploits accidentally by
    • Not being sufficiently trained
    • Not following procedures
    • Being forgetful or distracted
• Natural or environmental agents
  • Weather - temperature extremes, humidity, damaging winds, or rain
  • Natural disaster - lightning, fire, hurricane, or earthquake
  • Equipment wear or defect - equipment damage or aging equipment
  • Corrosion - chemicals

Threat Probability:

Probable- Threat agent and motive exist and will likely exploit a vulnerability.

Possible- Threat agent and motive exist, but are not likely to exploit a vulnerability.

Unlikely- Threat agents are nonexistent or rare, so little or no threat danger exists.

Threat Impact:

Significant- If the threat exploits a sensitive or critical asset vulnerability, it could have a major impact on the academic or business goals of the institution.

Moderate- If the threat exploits a sensitive or critical asset vulnerability, it could have a noticeable, but not significant, impact on the goals of the institution.

Low- If the threat exploits a sensitive or critical asset vulnerability, the impact on the goals of the institution will be negligible or non-existent.

Status of Vulnerability Controls:

Not Protected- Adequate controls are not implemented to safeguard the vulnerability from likely or high impact threats.

Protected- Adequate controls are implemented to safeguard the vulnerability from likely or high impact threats.

Not Applicable- Threats against the vulnerability are not likely, will not have significant impact, or do not exist.

Unsure- It is not known if the vulnerability is protected.

Vulnerabilities and Controls:

General Categories for Strategic Vulnerabilities and Controls

• Policies, standards, procedures, guidelines
• Communication
• Records
• Risk
• Contingency

General Categories for Operational Vulnerabilities and Controls

• Access
• Change Management
• Environmental Protection
• Incident Response

Specific Example Categories for Strategic Vulnerabilities and Controls

• Policy, standards, procedures, guidelines
  • Creation, documentation, implementation, review and update
  • Compliance
  • Enforcement
• Communication
  • Hiring and screening
  • Expertise
  • Training and awareness
  • Coordination and collaboration
• Records
  • Logs
  • Documentation
  • Tracking and reporting
• Risk
  • Analysis 
  • Verification
  • Mitigation
    • Balance of security with usability
    • Cost-effectiveness
  • Strategy
• Contingency
  • Documentation
  • Testing

Specific Example Categories for Operational Vulnerabilities and Controls

• Access
  • Identification
  • Authorization
    • Data
    • Software
    • System and media
    • Workstation
    • Portable devices and media
    • Personally-managed computers
    • Backups
    • Network
    • Location
  • Authentication
    • Session management
    • Passwords
    • Account management
  • Least privilege
    • Encryption
    • Trust
      • Account restrictions
      • File access restrictions
      • Software access restrictions
      • System access restrictions
        • PDA synchronization
      • Network segregation
      • Physical access restrictions
  • Disposal
• Change management
  • Planning
  • Vigor
• Environmental protection
  • Protection against critical staff outages
  • Temperature and humidity protection
  • Fire protection
  • Flood protection
  • Wind protection
  • Lightening protection
  • Protection from hazardous material
  • Power surge protection
• Incident response
  • Monitoring
  • Containment
  • Investigation
    • Forensics and evidence preservation

Risk Matrix

Using a risk matrix we can attempt to quantify risk by estimating the probability of a threat or vulnerability being exploited to get an asset, and assessing the consequences if it were to be successful. This will allow the prioritization of asset protection. See some random examples below:

5 (High Probability)					Credit Card
4			Health Medical	Donor Giving	Student Grades
3	Personnel Directory		Library Transactions
2	Campus Map
1 (Low Probability)
	1 (Low Impact)	2	3	4	5 (High Impact)

Related Documents

• Information Security Plan
• Security Safeguards for IT Resources

Related Policies

• Confidentiality Policy
• Acceptable Use Policy (Computing Resources, Network and Email Use Policy)
• Copyright Policy
• eCommerce Policy
• Financial Information Security