Page History

Developing an effective risk management program is important in building an information security program. Risk management activities should take into account people, business processes (information handling), and technology. 

Evaluate and select risk management methods:

• ISO/IEC 27005:2011 provides guidance in establishing a risk management program, and describes how to implement each phase of risk management (identification, assessment, treatment, monitoring and review)
• NIST Special Publication 800-39, Managing Information Security Risk: Organization, Mission and Information System View, describes the fundamentals and the process of completing risk assessments
• NIST Special Publication 800-30 Revision 1 is a Guide For Conducting Risk Assessments
• ISO/IEC 27002:2013 is an international standard that assists organizations with evaluating information security controls and performing risk treatment activities
• NIST Special Publication 800-37 Revision 1, Guide for Applying the Risk Management Framework, offers guidance in evaluating controls and applying risk treatment methods
• The HEISC Risk Management Framework is closely aligned with the guidance provided in the NIST publications cited above
• ISO/IEC 27005:2011, used in combination with the above framework, provide a complementary and comprehensive approach to identifying, assessing, and treating risks

Perform a high level risk assessment:

1. Identify risks associated with information handling/business processes and begin educating the stakeholder community about information security risk management and what’s involved in various stages (risk identification, assessment, treatment, monitoring and review)
2. Visit each major stakeholder (senior staff, administrative department heads, etc.,) and discuss/evaluate:

• • The types (classifications) of information their department handles
  • How they handle paper documents with various types of information (Read more about data classification in the Asset Management Chapter.)
  • Use of encryption to protect sensitive or confidential information (Read more about encryption in the Cryptography Chapter.)
  • Third party service providers that they use to handle information on their behalf
  • External websites/portals where they enter and/or store information (Read more about third party service providers in the Supplier Relationships Chapter.)
  • Where they store institutional data (on their workstations, on the network, and/or external storage facilities like Dropbox or One Drive)
  • The potential impact of a loss of data integrity or availability and business continuity considerations (Read more about business continuity in the Information Security Aspects of Business Continuity Chapter.)
  • The specific compliance requirements that apply to this stakeholder’s area such as HIPAA or PCI and whether these requirements are being addressed in a compliant manner. This can facilitate additional helpful conversations with legal affairs and auditors on campus. (Read more about compliance requirements in the Compliance Chapter.)

3. Develop a ranking system to help you sort and prioritize their responses

Evaluate risks and vulnerabilities associated with ‘technology and people’:

1. Identify IT-managed equipment/assets (use vulnerability scanning tools to conduct discovery scans and/or pull the information from an asset register)
2. Run vulnerability scans on those assets (servers, network equipment, PCI network devices, for example)
3. Verify where confidential information resides (use a Data Loss Prevention (DLP) tool to scan IT-managed workstations and network directories or try to identify this in general at stakeholder meetings) (See the HEISC Confidential Data Handling Blueprint for additional suggestions.)
4. Have staff and faculty completed security awareness training that emphasizes data protection? (See the Cybersecurity Awareness Resource Library for Suggestions.)

Expand the information security risk management program:

1. Adopt specific methodologies described in the standards and guidelines listed in #1 above
2. Complete a formal information security risk assessment across the university
3. Take a phased or incremental approach if the institution is large or has decentralized IT operations
4. Outsource risk assessments to third party service providers if you don’t have resources to perform them
5. Reevaluate risks and vulnerabilities on a recurring basis as each risk assessment is a ‘snapshot’ at a point in time
6. Explore the use of GRC solutions that can assist with developing a formal risk management system.
7. See the HEISC GRC FAQ for an overview of GRC solutions.
8. Review the following resources for additional recommendations: 

• • Learning While Doing: Two Institutions’ Practical IT Risk Management Experiences
  • Practical Approaches to Effective Risk Management

Risk Management is the foundation of every good information security program. There are many approaches that an institution can take to identify risks that impact people, business processes (information handling), and technology. Prioritize identified risks and implement information security policies, controls, and compliance initiatives to assist with making information security program improvements.

Campus Case Studies On This Page

Identity Assurance at Virginia Tech

EDUCAUSE Resources

• IT Risk Management: Try This Exercise at Your Institution, an example of using the EDUCAUSE Top Ten IT Issues as a guide to inform risk management practices (from Educause Review Online)
• Practical Approaches to Effective Risk Management, Presentation at EDUCAUSE Annual Conference, 2011
• Proactive Compliance through Information Systems Risk Management, Presentation at the MidAtlantic Regional Conference, 2011
• Cyber Insurance portal resource page for EDUCAUSE publications, presentations and other resources on this topic.
• Taking Risk Assessment from Project to Process: A Novel Approach Presentation at the Security Professionals Conference, 2010
• Risk Management Framework for an adaptable approach to risk management oriented toward higher education.
• Security Risk Assessment and Analysis portal Management resource page for EDUCAUSE publications, presentations and other risk assessment and analysis resources.
• Risk Management portal resource page for EDUCAUSE publications, presentations and other resources on this topic.
• Information Security Program Self-Assessment Tool is intended to help a CIO or CISO evaluate and track the maturity of an information security program.Privacy Risk Assessment portal for EDUCAUSE publications, presentations and other resources on this topic.
• Foundations for Effective Security Risk and Program Assessment, EDUCAUSE Security Professionals Conference 2010
• GRC FAQ: Frequently Asked Questions about Governance, Risk, and Compliance (GRC) Systems, 2012

Initiatives, Collaborations, & Other Resources

• Statement on Standards for Attestation Engagements (SSAE) No. 16 (formerly SAS 70) focuses on the design of controls and their operating effectiveness.
• Payment Card Industry Standard (PCI)
• Verizon's Annual Data Breach Investigations Report provides known threat vector information
• Evaluating Cloud Risk for the Enterprise: A Shared Assessments Guide
• The Forrester Wave: Governance, Risk, and Compliance Platforms
• Gartner's Magic Quadrant for IT Risk Management (includes a list of products to automate effective IT risk management processes)