Departments whose units handle or manage information assets or electronic resources should conduct formal risk assessments. A risk assessment is a process by which to determine what information resources exist that require protection, and to understand and document potential risks from IT security failures that may cause loss of information confidentiality, integrity, or availability. The purpose of a risk assessment is to help management create appropriate strategies and controls for stewardship of information assets.
Successful risk assessments require full support of senior management and must be conducted by teams that include both functional managers and information technology administrators. As business operations, workflow, or technologies change, periodic reviews must be conducted to analyze these changes, to account for new threats and vulnerabilities created by these changes, and to determine the effectiveness of existing controls. (See ECAR, "Information Technology Security: Governance, Strategy, and Practice in Higher Education," vol. 5, 2003, p. 87.)The risk assessment tool provided here may be used to identify assets as well as the risks to those assets, to estimate the likelihood of security failures, and to identify appropriate controls for protecting assets and resources. Management should evaluate the outcome of the risk assessment to prioritize solutions for potential problems, taking into account the severity of likely ramifications and the expense of implementing cost-effective and reasonable safeguards or controls.
Please note that the GLB Compliance Plan requires risk assessments of all functional areas that handle loan information, as described in the program.
