Risk Assessment Standard
Date of Current Revision or Creation: October 2024
The purpose of an Information Technology Standard is to specify requirements for compliance with Old Dominion University Information Technology policies, other University policies, as well as applicable laws and regulations. Standards may include business principles, best practices, technical standards, migration and implementation strategies, that direct the design, deployment and management of information technology.
Purpose
The purpose of this standard is to establish responsibilities and the process for documenting system risk assessments.
Definitions
BIA Immediate Systems are information technology systems described in the triennial Business Impact Analysis (BIA), maintained centrally for University use, and are considered to require immediate recovery (1-3 business days) in support of the University's mission.
Confidential Systems are systems that store or process data that is not explicitly defined as restricted data and is not intended to be made publicly available, considered data classification 2-4, (as defined in ITS Standard 2.3.0 Data Administration and Classification Standard). Confidential data is distributed on a need-to-know basis between members of the University staff, IT systems, and specific third parties when authorized. Unauthorized exposure of this information could violate state and federal laws and/or can adversely affect the University as a whole or in part or the interests of individuals associated with the University. Confidential data may only be disclosed to a third party with the permission of the Data Compliance Owner. If a file which would otherwise be considered public contains an element of confidential information, the entire file may be considered confidential information.
Data is defined as an information asset that represents, but is not limited to, individual data elements, lists, addresses, documents, images, measurement samples, programs, program source code, voice recordings, aggregations of data, or other information in a digital format. Data in a tangible object, typically paper, is excluded from this policy, but is subject to other University policies, including, but not limited to, policies on records management and confidentiality.
Information Security Governance, Risk, and Compliance (GRC) is a strategic functional unit within the University Information Security Office serving the campus community by assisting with meeting compliance of federal and state regulations; University policies, standards, and guidelines; and managing potential security risks to the University. The GRC team also seeks to provide University leadership with the tools needed to make informed risk-based decisions that best support the mission of the University.
Restricted is a classification given to an IT system in which the loss to confidentiality of the system or data could have a material adverse effect on the University interests or the privacy to which individuals are entitled. Systems will be designated to be either Restricted or Confidential based on the sensitivity of the data.
Restricted Systems are systems that contain data that may be subject to disclosure laws requiring careful management and protection to ensure their integrity, appropriate access, and availability. This information must be guarded from disclosure. Unauthorized exposure of this information could contribute to identity theft, financial fraud, and violate state and/or federal laws. Unauthorized disclosure of this data could adversely affect the University, or the interests of individuals and organizations associated with the University. Systems containing restricted data must be approved by the CISO or delegated to the Information Security GRC team.
Risk Treatments involve identifying the range of options for treating unacceptable risk, assessing those options, preparing risk treatment plans, and implementing them.
Risks are those factors that could affect the security, availability, and integrity of the University’s key information assets and systems.
System – refers to a collection of components (hardware, software, personnel, data, and/or configuration) that provides a service or fulfills a business use case, regardless of where it is hosted or who administers it.
System Design Change is defined as any combination of changes to individual system components, or major modifications to software, hardware, or database components that effectively change the way the system operates or responds to the user. Changes include an operating system change, type of database used, changes to underlying processes such as the use of new scripting language or web development platform, a complete hardware lifecycle change, a change of hosted providers, a change of data being provided to a hosted provider to a more sensitive type of data, or a change to the authentication system being used.
System Risk Assessment is the overall process of system risk analysis and risk evaluation, and identification of risk treatments. It is also the name of the report required as documentation.
Standards Statement
Responsibilities
The Information Security GRC team assists System Compliance Owners (as defined in 01.2.0 IT Security Roles & Responsibilities Standard) in understanding system risk assessments, and provides standard forms and directions, reviews all system risk assessments and retains the documents, reviews industry standards and activities of relevant organizations in order to improve the risk assessment process.
The System Compliance Owner is responsible for documenting and maintaining the system risk assessment information for systems owned and is authorized to perform all tasks necessary to perform this function.
The Data Compliance Owner (as defined in 01.2.0 IT Security Roles & Responsibilities Standard) is responsible for classifying the data on the IT system as Class 1 Restricted to Class 4 Confidential, non-regulated. If any type of data handled by the system has a classification of one through four on the criteria of confidentiality, then defining the protection requirements for the data based on the sensitivity of the data, any legal or regulatory requirements, and business needs is required. Availability and Integrity are defined by the BIA designation for Recovery Point Objective and Recovery Time Objective and are reflected in the System Risk Assessment and in the University BIA.
System Risk Assessments
The overall process of system risk analysis and risk evaluation, and identification of risk treatments, is formally documented in the System Risk Assessment (SRA) and the Solution Discovery Analysis (SDA) that are drafted in collaboration with the system compliance owners and the Information Security GRC team.
New IT systems will have an SDA performed in order to determine the system classification. For systems classified as restricted, once the required SDA is complete, efforts should be made to complete a System Risk Assessment before the system is placed into production, but no longer than a year from the purchase date. For systems that are classified as confidential, an SDA will serve as the initial risk review allowing the system to go into production.
Restricted and BIA Immediate Systems
System Compliance Owners of Restricted or BIA Immediate systems must complete a full risk assessment review every three years with Information Security GRC. Out of cycle updates will occur when system design changes occur, when system compliance ownership changes, or changes to data occur. For hosted or contracted services, updated compliance assurance will be collected annually.
Confidential Systems
System Compliance Owners of confidential systems must review and update the completed SDA when system design changes occur that include changes to data or integrations, and upon contract renewal for hosted services. If no changes occur upon renewal, no updates to the SDA will be required.
System Risk Assessment Documentation
System Compliance Owners, in collaboration with the Data Compliance Owners and Information Security GRC, must complete or update a Risk Assessment, in the form provided by the Information Security GRC team that includes, at a minimum, identification of all risks discovered during the assessment, major findings, risk mitigation recommendations, if any, and may be in the form of an SDA or SRA, including named compliance requirements, security responsibilities, and Data Compliance Owner sign-off.
All information collected or used as a part of the risk assessment process must be formally documented and securely maintained. New or updated Risk Assessments are provided to the Information Security GRC team upon completion for final review and approval.
Risk Treatment
Risk treatment efforts should be undertaken to mitigate identified high or unacceptable risks, using appropriate administrative, technical. and physical security controls.
In the event any assessment identifies inadequate controls or a lack of compliance with controls, a risk treatment will be undertaken, reported to ITS management and tracked until compliance is achieved or mitigating controls have been established and implemented. Risk treatments should take account of the legal-regulatory and private certificatory requirements; the organizational objectives, operational requirements, and constraints; and the costs associated with implementation and operation relative to risks being reduced. Risk acceptance may be warranted, documented, and accepted as part of the risk assessment process. The acceptance of risks varies based on data and business needs which determine the level of risk acceptance, as outlined in Solution Discovery Analysis and Risk Assessment Guideline 08.1.1.
Risk treatment decisions shall be formally documented in the appropriate risk assessment form such as SDA or SRA. Assessments are securely maintained by the Information Security GRC team.
External Parties
External parties, including partners, vendors, and contractors, are responsible for managing the risks to their information assets and University information assets that are accessed, processed, communicated with in accordance with the contract and any guidelines provided by the Information Security GRC team.
Assistance
Information Security GRC team is available to assist System Compliance Owners in understanding the process and completing the System Risk Assessments or SDAs.
Procedures, Guidelines & Other Related Information
- Federal and State Law
- University IT Policies
- Policy 3509 – Solutions Discovery Analysis
- ITS Standards
- Detailed procedures on System Risk Assessment and System Inventory are provided on the Systems Assessment web page.
History
Date |
Responsible Party |
Action |
October 2008 |
CIO/ITAC |
Created |
October 2009 |
CIO/ITAC |
Reaffirmed |
October 2010 |
CIO/ITAC |
Reaffirmed |
October 2011 |
CIO/ITAC |
Reaffirmed |
September 2012 |
CIO/ITAC |
Revised |
December 2012 |
IT Policy Office |
Numbering revised; Security Office revisions |
March 2012 |
CIO/ITAC |
Reaffirmed |
December 2017 | CIO/ITAC | Revised |
December 2020 | IT Policy Office | Reaffirmed |
October 2024 | IT Security Office | Information Security GRC Office revisions |