Risk Assessment
An effective risk management process is an important component of a successful IT security program.
The following is a simple risk assessment which should familiarize you with the main goals of a security plan:
- Confidentiality of information
- Data (or information) integrity
- Availability of information
The Assessment below is a first step to knowing the type of information handled by your department and the type of security needed to protect these IT assets as they relate to confidentiality, integrity and availability. Security recommendations should be discussed between systems administrators and your departmental administration (Deans, Directors, Administrators). This should be used in conjunction with the Departmental Security Checklist which contains steps for addressing the risks identified in this assessment.
Indicators: Probability (or the likelihood of an occurrence) and Impact (or the effect of an occurrence) will relate to security recommendations for your systems.
Confidentiality risk refers to the impact of unauthorized access to information assets, such as client information, passwords,
computer hardware, student grades, research data, etc.
| Confidentiality of Information | Probability | Impact | Security Level (Probability + Impact = Security Level) |
| If you store sensitive information, student grades, sensitive research data, or other sensitive or confidential information, what is the probability or likelihood that it will be compromised? If compromised, what is the impact to you and your clients? |
|
| High + High = High level security High + Medium = High level security High + Low = Medium level security Medium + High=High level security Low + High = High level security |
Data integrity risk addresses the impact if inaccurate data is used to make inappropriate business or management decisions. The risk also addresses the impact if customer information such as student grades or account balances were incorrect or if inaccurate data is used in research or sent to a sponsoring agency. The release of inaccurate data to customers, regulators, shareholders, the public, etc. could lead to a loss of business, possible legal action or public embarrassment.
| Data Integrity | Probability | Impact | Security Level (Probability + Impact = Security Level) |
| If you store sensitive information, student grades, sensitive research data, or other sensitive or confidential information, what is the probability or likelihood that it will be compromised? If compromised, what is the impact to you and your clients? |
|
| High + High = High level security High + Medium = High level security High + Low = Medium level security Medium + High = High level security Low + High = High level security |
Availability or business disruption risk considers the impact if the function or activity was rendered inoperative due to a system failure, or a disaster situation. Consideration is given to the impact on clients as well as the department.
| Availability of Information | Probability | Impact | Security Level (Probability + Impact = Security Level) |
| If you are highly dependent upon access to your data (5x8 or 24x7) what is the probabilty of loss of access? If you suffer from a loss of access for greater than 4 hours, what is the impact? |
|
| High + High = High level security High + Medium = High level security High + Low = Medium level security Medium + High = High level security Low + High = High level security |
Keep these results in mind as you complete the Departmental Security Checklist.