There is an increased reliance on digital information and the technologies that support it in virtually every aspect of the educational, research, and administrative processes of higher education, which has brought with it an increasing level of responsibility to protect these information assets from accidental or malicious exposure or damage. On top of this are new initiatives for security in Grant environments, Federal Regulations such as HIPAA, FERPA, GLBA that all have required much more stringent guidelines for security.

Often, the number of assets potentially at risk outweighs the resources available to manage them. It is therefore extremely important to know where to apply available resources to mitigate risk in a cost-effective and efficient manner. Risk assessment is the part of the ongoing risk management process that assigns relative priorities for mitigation plans and implementation.

The IT Security Office uses a risk assessment methodology called the OCTAVE ^® Method.

There are many points to consider in the design, implementation, and goals of a Risk Assessment Methodology.

1. Risk assessment should be thought of as an ongoing process, not as a one-time project. The process is described as a set of steps that are continually repeated. At the outset, however, there is a startup process that usually is not repeated.
2. Conducting a university-wide information risk assessment is a process that will require strong commitment from upper administration and collaboration between cross-functional units. Assessing information risks is a management issue, not a technology issue; therefore, to be most effective, the process should be considered the responsibility of all members of management.
3. In light of current and pending federal and state legislation, it is imperative for universities to recognize that information risk management must be part of their strategic planning.
4. Due to the complexities of a university environment, a university-wide information risk assessment requires planning and, more importantly, a strategy that systematically increases the scope of the information risk assessment until it encompasses all university areas.
5. An effective university information risk assessment needs to become a part of the culture of the university community, involving not only IT-staff but also all staff, administrators, faculty, and students. Education and awareness efforts should be aimed at all of these constituencies.
6. Effective risk management practices require a "risk aware" culture: universities need to expand their information security training and awareness programs to emphasize the importance of adopting risk management principles.
7. A sound risk management program can serve as the basis for prioritizing and resolving possible funding conflicts.

Please contact ITSO if you are interested in hearing more about how we can assist your department in conducting an assessment of your environment.