Risk Assessment

 

An effective risk management process is an important component of a successful IT security program.

The following is a simple risk assessment which should familiarize you with the main goals of a security plan:

  • Confidentiality of information
  • Data (or information) integrity
  • Availability of information

The Assessment below is a first step to knowing the type of information handled by your department and the type of security needed to protect these IT assets as they relate to confidentiality, integrity and availability. Security recommendations should be discussed between systems administrators and your departmental administration (Deans, Directors, Administrators). This should be used in conjunction with the Departmental Security Checklist which contains steps for addressing the risks identified in this assessment.


Indicators: Probability (or the likelihood of an occurrence) and Impact (or the effect of an occurrence) will relate to security recommendations for your systems.

Confidentiality risk refers to the impact of unauthorized access to information assets, such as client information, passwords,
computer hardware, student grades, research data, etc.

Confidentiality of InformationProbabilityImpactSecurity Level (Probability + Impact = Security Level)
If you store sensitive information, student grades, sensitive research data, or other sensitive or confidential information, what is the probability or likelihood that it will be compromised?


If compromised, what is the impact to you and your clients?
  • High
  • Medium
  • Low
  • High
  • Medium
  • Low
High + High = High level security
High + Medium = High level security
High + Low = Medium level security

Medium + High=High level security
Medium + Medium = Medium security
Medium +Low = Medium level security

Low + High = High level security
Low + Medium = Medium security
Low + Low = Low level security


Data integrity risk addresses the impact if inaccurate data is used to make inappropriate business or management decisions. The risk also addresses the impact if customer information such as student grades or account balances were incorrect or if inaccurate data is used in research or sent to a sponsoring agency. The release of inaccurate data to customers, regulators, shareholders, the public, etc. could lead to a loss of business, possible legal action or public embarrassment.

Data IntegrityProbabilityImpactSecurity Level (Probability + Impact = Security Level)
If you store sensitive information, student grades, sensitive research data, or other sensitive or confidential information, what is the probability or likelihood that it will be compromised?

If compromised, what is the impact to you and your clients?
  • High
  • Medium
  • Low
  • High
  • Medium
  • Low
High + High = High level security
High + Medium = High level security
High + Low = Medium level security

Medium + High = High level security
Medium + Medium = Medium security
Medium + Low = Medium level security

Low + High = High level security
Low + Medium = Medium security
Low + Low = Low level security


Availability or business disruption risk considers the impact if the function or activity was rendered inoperative due to a system failure, or a disaster situation. Consideration is given to the impact on clients as well as the department.

Availability of InformationProbabilityImpactSecurity Level (Probability + Impact = Security Level)
If you are highly dependent upon access to your data (5x8 or 24x7) what is the probabilty of loss of access?


If you suffer from a loss of access for greater than 4 hours, what is the impact?
  • High
  • Medium
  • Low
  • High
  • Medium
  • Low
High + High = High level security
High + Medium = High level security
High + Low = Medium level security

Medium + High = High level security
Medium + Medium = Medium security
Medium + Low = Medium level security

Low + High = High level security
Low + Medium = Medium security
Low + Low = Low level security

Keep these results in mind as you complete the Departmental Security Checklist.

 

Departmental Security Checklist - Back