Purpose:
The Higher Education Information Security Council (HEISC) risk assessment / management framework is intended to provide high-level guidance for an effective cyber-risk assessment and management process for institutions of higher education. It is intended to provide a model process which can be adapted, as needed, for any institution regardless of size, funding model, or culture.
Background and overview:
In virtually every aspect of education, research, and administration there is an increased reliance on digital information and the technologies that support it. With this comes an increasing level of responsibility to protect these information assets from accidental or malicious exposure or damage. In light of current and pending federal and state legislation, it is imperative for universities to recognize that information risk management must be part of their strategic and continuity planning.
Risk management is the ongoing process of identifying these risks and implementing plans to address them. Risk is determined by considering the likelihood that known threats will exploit vulnerabilities and the impact they have on valuable assets. Sometimes risk is expressed as a conceptual formula:_ Risk_ = Threat x Vulnerability x Impact.
Risk assessment is the part of the ongoing risk management process that assigns relative priorities for mitigation plans and implementation. It is a large part of the overall risk management process; many of the steps described in this framework focus on the assessment process.
Risk decisions are made all the time, sometimes without deep consideration and may even be based upon intuition. A formalized risk management process can uncover risks that were not anticipated, resolve funding conflicts, and help enhance executive buy-in to security improvements.
Some risk terms might be confusing. A vulnerability assessment is basically an inventory of all vulnerabilities. It is often thought of as just a technical examination (networks scanning, etc) but a complete vulnerability assessment would include all manner of vulnerabilities - physical, process, etc. The risk assessment considers those vulnerabilities in light of the other aspects of the risk formula - threats and impact (which includes the concepts of both asset and value) so that the potential mitigations that might be applied can be prioritized. Risk management is actually doing all that plus actually mitigating the selected vulnerabilities, measuring the outcome of the process, and repeating the process again and again. Often, the number of assets potentially at risk exceeds the resources available to manage them. It is therefore extremely important to know where to apply available resources to mitigate the highest priority risks in an efficient and cost-effective manner. It is also important to balance security with usability. |
Using the Framework:
Risk assessment and management scope may vary. For instance, assessments may be conducted as part of the planning and purchasing process for significant projects or systems. Assessments may also be conducted in response to IT security incidents to help ensure incidents do not recur. They may also be conducted on some regular, periodic basis to assure ongoing compliance and up-to-date security measures.
Moreover, institutions vary in many ways including size, complexity, classification, culture, private/public, and so on. The depth and focus of assessments conducted will often depend upon these and other local considerations. While it is certainly possible to follow every step in every process in every phase of this framework (and many institutions do so) the intent of the framework is to be adaptable to local requirements. It is expected that institutions may decide to combine certain steps or processes to streamline the framework for specific purposes.
Especially for comprehensive risk assessments at large institutions, depth might need to be balanced with feasibility to complete the assessment in a reasonable time frame. Resisting the urge to be overly comprehensive is important because assessments that take longer than a few months to complete may lose value as data becomes stale. Here are some tips to help manage large comprehensive assessments.
Regardless of the assessment scope or local modifications to the process, all four phases of this framework will always apply.
Other points to consider:
Top of page
Goals: Establish the strategy for assessing risk. Determine the criteria that will be used to evaluate the strategic importance of assets (often called "asset classification" - please see the Data Classification Toolkit for more comprehensive information on this topic), threats and vulnerabilities.
Steps
Steps
Steps
Steps
Top of page
Goals: Identify and prioritize the institution's critical assets. Identify key threats and vulnerabilities that could compromise the confidentiality, integrity and availability of these assets. Identify all protection in place to safeguard these assets and which vulnerabilities and threats they impact.
Steps
Steps
Steps
Steps
Top of page
Goals: In this phase, risk profiles are created for threats that are most likely to have the largest impact on asset vulnerabilities. This information may then be used to prioritize the cost-effective allocation of resources to ensure appropriate mitigation of the highest risks, balancing usability with security.
Steps
Steps
Top of page
Goals: Finally, the protection strategy to mitigate risk is documented. Using the risk statements created in Phase 2, determine which risks will be addressed in the final mitigation strategy. This is also a good time to evaluate the effectiveness of the risk assessment process and begin planning the next assessment with consideration for lessons learned in the current assessment.
Steps
Steps
Steps
Top of page
Questions or comments? Contact us.
Except where otherwise noted, this work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License (CC BY-NC-SA 4.0).