Risk Assessment Services
The Information Security Office offers departments a range of information security assessments based on the National Institute of Standards and Technology (NIST) framework and industry best practices to help you identify and prioritize risks to university information, devices, and systems. This includes but is not limited to:
- Vendor risk assessments
- Vulnerability assessments
- Web application assessments
- Compliance with regulations or contracts, such as FERPA, GLBA, PCI-DSS, HIPAA, etc.
- General recommendations for reducing information technology risk to an acceptable level.
Risk management services are available in multiple phases tailored to business needs:
- Basic: High-level information security risk assessment. Self-service questionnaire submitted to ISO for scoring and recommendations for process improvement to reduce the business unit’s risk position.
- Moderate: Mid-level information security risk assessment. On-site interview and questionnaire with a tour of the unit being assessed. Provides memo with observed control weaknesses and recommendations for process improvement to reduce the business unit’s risk position.
- Comprehensive: Detailed information security risk assessment. Multiple on-site interviews and questionnaires with tours of the unit being assessed. Provides report with observed control weaknesses and recommendations for process improvement to reduce the business unit’s risk position, as well as policy and control implementation planning and prioritization.
University business units may request vendor assessments by contacting the ISO
How to Request
To request a risk assessment, email email@example.com with the following information:
- Department name
- Brief description of the services the department provides.
- Description of the data types the department processes (i.e. FERPA, Student Loan Data, PCI data, Research Data, PHI, etc.).
- Are you subject to any compliance requirements (i.e. HIPAA, ITAR, GLBA, PCI-DSS, etc.)?
- Main contact within the department to facilitate the risk assessment.
- Approximate number of employees.
- Approximate number of workstations and number of individual or unit that provides desktop management.
- List of systems the department uses and indicate if any are centrally managed.
As part of a risk assessment, a department may be asked to complete either an exception request or a risk acceptance form. The risk analyst performing the assessment will identify if one needs filled out and provide guidance to the department in filling it out.