What is risk assessment?
Information security risk assessment involves identifying and assessing risks to confidentiality, integrity and availability of information and information systems. A typical self-assessment involves an extensive questionnaire with defined control objectives and techniques derived from requirements and best practices found in statute, policy and guidance on information security. The process measures information systems against these requirements and identifies gaps in meeting them. Repeat assessments measure progress toward them.
The Information Security Office will facilitate a risk assessment in academic and business units throughout the University during Summer 2009.
Why is a risk assessment being conducted?
A risk assessment is a prerequisite to the formation of strategies for developing, implementing and maintaining an information security posture. The need for risk assessment is emphasized by:
- Risk Assessment Standard
- Arizona Board of Regents Policies 9-201 (General Policy) & 9-202 (University Responsibilities)
- Arizona Board of Regents' Information Security Program Guidelines
- State Office of the Auditor General Performance Audit Report
- Health Insurance Portability and Accountability Act (HIPAA), for both HIPAA covered entities and business associates
- Certain grants and governmental partnerships
When will it be conducted?
- Beginning on or after July 1, 2009
- Return to UISO by August 31, 2009 (complete Risk Assessment Procedure Steps 1-4)
How will it be conducted?
- Overview Presentation: PDF | Video (requires UA NetID; if you have trouble viewing, try Internet Explorer)
- Overview Handout (PDF)
- Risk Assessment Procedure
2009 Information Security Risk Assessment Documents
- PDF documents: These documents can be printed and used as working copies Part 1 | Part 2 | Part 3 | Part 4 | Part 5 | Part 6 | Part 7
- Excel Workbook: This is the document that each unit will complete and submit Excel
- Part 3 additional space (Excel): Additional space for listing unit applications Part 3 additional
- Action Plan form Word | PDF
Inventory Resources (optional freeware)
- Lansweeper - Network Inventory for Windows
- OCS Inventory NG - Open Computer and Software Inventory Next Generation
- Spiceworks - IT Management Software
- Easy-to-use script for Windows AD
