Risk Assessment FAQs

Risk Assessment

What is an information security risk assessment?
Information security risk assessment involves identifying and assessing risks to confidentiality, integrity and availability of information assets. A typical self-assessment involves an extensive questionnaire with defined control objectives and techniques derived from requirements and best practices found in statute, policy and guidance on information security. The process measures information systems against these requirements and identifies gaps in meeting them.

Why does my unit need to complete a risk assessment?
A risk assessment is a prerequisite to the formation of strategies for developing, implementing and maintaining an information security posture. It puts you in control by leaving your security posture less open to chance. The ABOR Audit Committee requested UA to conduct a risk assessment. The need for risk assessment is emphasized by:

ABOR Policy 9-202
ABOR Information Security Program Guidelines
Risk Assessment Standard
State Office of the Auditor General Performance Audit Report
HIPAA, for both covered entities and business associates
Certain grants and governmental partnerships

Who should be part of conducting the risk assessment in my unit?
The team will need to consist of at least the following people in your unit:

Information Security Liaison
Senior Financial Administrator
Senior IT Administrator

In some units, all three of these roles may be filled by the same person.

In addition to these individuals, you may choose to have additional members who can help assist in conducting the inventory portion and can help answer the questionnaires. The team members will need to be familiar with four areas of analysis: infrastructure, applications, operations and people.

What is the deadline for the risk assessment?
The risk assessment will be conducted during the months of July and August 2009. The deadline for completing the assessment and returning it to the Information Security Office (iso@u.arizona.edu) is August 31, 2009.

How should our unit perform the risk assessment? Is there a specific format or process?
Follow the Risk Assessment Procedure (IS-P1200) and the Overview Handout for full instructions. You will find the documents you need at http://security.arizona.edu/risk. Scroll down to the section titled "2009 Information Security Risk Assessment Documents."

While other methods may work well, this approach ensures consistency across the university.

When referring to "the network," does this refer to the network our unit provides, or the entire network provided by UITS?
We are referring to your unit's network. This is a particularly important distinction because the scope of the assessment is your unit. It also can make answer the questionnaires challenging.

Does the term "third parties" include other university units?
Yes. Third parties include non-employee students, vendors, business partners, customers or other third parties in other units or organizations.

Which applications should be listed in the Unit Application and Data Inventory (Part 3 of the Excel workbook)?
Include all types of applications. You will find it useful to approach this as a business continuity and disaster recovery exercise. For example, although MS Office is mundane, it also is very necessary or useful to continued operations. If you do not already use an automated tool to collect this type of information, check out some of the inventory tools listed at the bottom of http://security.arizona.edu/risk. The script is a very usable and relatively simple tools for Windows domains.

How long will the risk assessment take to perform?
The questionnaires (Parts 5 and 6 of the Excel workbook) will typically take approximately two hours for your team to perform. Some teams may require more time than this.

The amount of time needed for the inventory will depend on how recently your unit has performed an inventory, and the size and complexity of your unit's IT infrastructure. Parts 2, 3 and 4 of the Excel workbook collect a basic inventory of hardware and software commonly used in your unit. Free tools for the inventory are listed at http://security.arizona.edu/risk. Scroll down to the section titled "Inventory Resources (optional freeware).

Doesn't risk assessment just lead to more and more security requirements, most of which aren't necessary?
No. When done properly, it should identify the measures that are needed to effectively reduce risk that is unacceptable and no further. It is important to remember that risk assessment can show you unit's information assets are adequately secured with the measures you already have in place, and no more need be done.

How do we answer a question that is not applicable to our unit? For example, question C3c asks, "Has encryption software been installed on unit systems storing Social Security, credit card and driver's license numbers?" and some units may not store this information.
If a question is not applicable to your unit and "not applicable" is not a possible answer, leave the question unanswered and indicate in your transmittal of the completed questionnaire why the question is not applicable.

Report

What happens after I complete and return the risk assessment?
The Information Security Office generates a report that includes recommendations for mitigating the risks identified by your assessment.

How soon will my unit receive a report after submitting the risk assessment documentation to the ISO?
The ISO will prepare a report as quickly as possible. The timing will depend on the volume of risk assessments being processed at the time your documentation is received.

When my unit receives the report, what do we do with it?
Your unit will have two months to complete an Action Plan, as described in Steps 6-8 of the Risk Assessment Procedure.

Why does the report include so many recommendations?
While high-level, the risk assessment helps identify risks broadly across four areas of analysis: infrastructure, applications, operations and people. Risks in these areas are often normal and acceptable. InfoSec does not rate any number of recommendations as "passing" or "failing." Steps 6-8 of the Risk Assessment Procedure will help you understand whether you will need to take any action to mitigate the identified risks. See the FAQs under the "Action Plan" heading for more information.

Action Plan

How does the assessment team go about creating an Action Plan?

The assessment team creates the Action Plan using the form referred to in the Risk Assessment Procedure. The Action Plan form includes a Decision Support Worksheet. The report may include recommendations that are labeled "High Priority," "Medium Priority" or "Low Priority," and it will have recommendations that do not have any priority designation. A Decision Support Worksheet must be created for each of the “High Priority” recommendations. The average report includes 6-8 of these recommendations. The team may also choose to prepare Decision Support Worksheets for Medium Priority, Low Priority or no-priority recommendations. Some of them are quite simple to implement yet very effective in mitigating risk for your unit and the University.

The Decision Support Worksheet walks the team through a cost-benefit analysis of the recommendation under consideration. The team, or a staff member consulted by the team, will need to estimate the cost of the proposed control solution. Cost estimates will be influenced by the type of solution selected and the unit’s existing infrastructure, deployment method and technical capability. The Decision Support Worksheet is very flexible. Costs can be estimated in dollars or hours. Even a very rough estimate is sufficient for this exercise. Many of the recommendations require little or no additional expenditure.

The team then relies on the cost-benefit analysis to select a risk mitigation strategy. Team members may decide to (1) implement the recommendation, (2) select another control solution that mitigates the risk addressed by the recommendation, (3) outsource the function to a partner or vendor that agrees to assume responsibility for mitigating the risk, or (4) accept the risk and continue operating.

The last option—accepting the risk—is not acceptable for recommendations mandated by the UA information security standards. How do you determine whether a recommendation is mandatory? The recommendations generally will include a reference to the standard and use mandatory language (for example, “must,” “requires”). Also, the Implementation of Standards table at the end of the report provides an easy reference. It gathers in one place a list of the standards that are referred to in the risk assessment and the report, and indicates whether the control has been implemented in your unit. You may want to check the language of the standard against the recommendation to help you determine what is actually required.

Even if a recommendation is mandatory, you have the option of requesting an exception under certain circumstances. Exceptions must be approved by the University Information Security Officer and remain valid for a maximum of one year. Refer to the Exceptions Procedure and Form. If you have a question about whether or not a control is mandated by a standard or about the Exceptions Procedure, please contact the Information Security Office.

Refer to Steps 6-8 of the Risk Assessment Procedure for detailed instructions.

How can the unit implement the recommendations with its current budget and staffing?

The primary purpose of the report is to inform you about the risks identified by the risk assessment and possible approaches to mitigating them. You are not expected to address all or even most of the identified vulnerabilities. For many UA functions, a high level of security is neither attainable nor desirable.

The process builds in several elements that can blunt the potential effect of the process on your budget and staff:

Action is required only for the recommendations labeled "High Priority" in the report. The unit may choose but is not required to implement other recommendations.
Implementing a recommendation is only one of four possible responses. For each recommendation, the assessment team may decide, with the approval of the unit head, to: (1) implement the recommendation, (2) select another control solution that mitigates the risk addressed by the recommendation, (3) outsource the function to a partner or vendor that agrees to assume responsibility for mitigating the risk, or (4) accept the risk and continue operating. The fourth option may be appropriate for many of the recommendations.
Even if the fourth option is not available because a recommendation is mandated by one of the UA information security standards, you still have options, as described in the immediately preceding FAQ.
No arbitrary deadline has been established for the recommendations that you decide to implement. The team sets a timeline that suits the unit's budget and takes into consideration the unit's other activities and staffing.
Some of the recommendations can be implemented at low cost, or with no additional expenditure.

Finally, the university or your college may have resources to help you with implementation. The Information Security Office can assist in identifying solutions offered to the university at large.

What are the consequences of not completing an Action Plan within the allotted two month period, or of never completing an Action Plan?

Unit management is responsible for monitoring the unit's progress and ensuring completion. Internal Audit will monitor progress to ensure an Action Plan is prepared and submitted to senior management.

How long does the unit have to implement action plans?

The assessment team and the unit head determine how long implementation will take and include a timeline in the Decision Support Worksheet.

What happens if a recommendation that the team elected to accept is not implemented within the timeline stated in the Action Plan? Or if a recommendation is never implemented as planned?

For most recommendations, the unit head will decide the consequences of failure to implement. Failure to implement constitutes an acceptance of the risk by the unit. For High Priority recommendations mandated by the UA security standards, possible consequences are described in Part VI (Recourse for Non-Compliance) of the Information Security Policy. According to Part II (Authority), the Chief Information Officer and the University Information Security Officer are responsible for enforcing the Policy and the supporting standards and procedures (including the Risk Assessment Standard and the Risk Assessment Procedure). Vice Presidents, Deans, Directors, Department Heads and Heads of Centers have management authority and are expected to take appropriate actions to comply with the Policy.