Information Technology Standard 08.1.0

Risk Assessment Standard


Date of Current Revision or Creation: December 1, 2020


The purpose of an Information Technology Standard is to specify requirements for compliance with Old Dominion University Information Technology policies, other University policies, as well as applicable laws and regulations. Standards may include business principles, best practices, technical standards, migration and implementation strategies, that direct the design, deployment and management of information technology.

Purpose

The purpose of this standard is to establish responsibilities and the process for documenting system risk assessments.

Definitions

BIA Immediate Systems are information technology systems described in the triennial Business Impact Analysis (BIA), maintained centrally for University use, and are considered to require immediate recovery (1-3 business days) in support of the University's mission.

Confidential Systems are systems that store or process data that is not explicitly defined as restricted data and is not intended to be made publicly available. Confidential data is distributed on a need-to-know basis between members of the University staff, IT systems, and specific third parties when authorized. Unauthorized exposure of this information could violate state and federal laws and/or can adversely affect the University as a whole or in part or the interests of individuals associated with the University. Confidential data may only be disclosed to a third party with the permission of the Data Owner.

If a file which would otherwise be considered public contains an element of confidential, the entire file may be considered to be confidential information.

Data is defined as an information asset that represents, but is not limited to, individual data elements, lists, addresses, documents, images, measurement samples, programs, program source code, voice recordings, aggregations of data, or other information in a digital format. Data in a tangible object, typically paper, is excluded from this policy, but is subject to other University policies, including, but not limited to, policies on records management and confidentiality.

Data Owner is the individual responsible for the practice decisions of data and for approval of access to the data.

Information Security Office is the unit within the Office of Information Technology Services (ITS) responsible for overseeing efforts to protect ODU's computing and information assets and to assist in compliance efforts with information-related laws, regulations, and policies.

Restricted Systems are systems that contain data that may be subject to disclosure laws requiring careful management and protection to ensure their integrity, appropriate access, and availability. This information must be guarded from disclosure. Unauthorized exposure of this information could contribute to identity theft, financial fraud, and violate state and/or federal laws. Unauthorized disclosure of this data could adversely affect the University or the interests of individuals and organizations associated with the University. Systems containing restricted data must be approved by the Information Security Officer.

Risk Treatments involve identifying the range of options for treating unacceptable risk, assessing those options, preparing risk treatment plans and implementing them.

Risks are those factors that could affect the security, availability, and integrity of the University's key information assets and systems.

Sensitive System is a classification given to Restricted IT systems in which the loss to confidentiality of the system or data could have a material adverse effect on the University interests or the privacy to which individuals are entitled. Systems will be designated to be either Restricted or Confidential based on the sensitivity of the data.

System - refers to a collection of components (hardware, software, personnel, data, and/or configuration) that provides a service or fulfills a business use case, regardless of where it is hosted or who administers it.

System Design Change is defined as any combination of changes to individual system components, or major modifications to software, hardware, or database components that effectively change the way the system operates or responds to the user. Changes include an operating system change, type of database used, changes to underlying processes such as the use of new scripting language or web development platform, a complete hardware lifecycle change, a change of hosted providers, a change of data being provided to a hosted provider to a more sensitive type of data, or a change to the authentication system being used

System Risk Assessment is the overall process of system risk analysis and risk evaluation, and identification of risk treatments. It is also the name of the report required as documentation.

System Owner is the manager responsible for operation and maintenance of a University IT system, whether an on-premises system or a hosted system, service or application.

Standards Statement

Responsibilities

The Information Security Office in Information Technology Services assists System Owners in understanding system risk assessments, and provides standard forms and directions, reviews all system risk assessments and retains the documents, reviews industry standards and activities of relevant organizations in order to improve the risk assessment process.

The System Owner is responsible for documenting and maintaining the system risk assessment information for systems owned, and is authorized to perform all tasks necessary to perform this function.

The Data Owner is responsible for classifying the data on the IT system as Confidential or Restricted if any type of data handled by the system has a sensitivity of high or medium on the criteria of confidentiality, defining the protection requirements for the data based on the sensitivity of the data, any legal or regulatory requirements, and business needs. Availability and Integrity are defined by the BIA designation for Recovery Point Objective and Recovery Time Objective, and are reflected in the System Risk Assessment and in the University BIA.

System Risk Assessments

The overall process of system risk analysis and risk evaluation, and identification of risk treatments, is formally documented in the System Risk Assessment (SRA) and the Software Decision Analysis (SDA) that are drafted by the system owners and reviewed by the ITS Information Security Office.

New IT systems will have an SDA performed in order to determine the system classification. For systems classified as restricted, a System Risk Assessment must be completed before the system is placed into production. For systems that are classified as confidential, an SDA will serve as the initial risk review allowing the system to go into production, and a System Risk Assessment can be completed within the annual risk assessment review cycle.

All System Owners, in collaboration with the Data Owners, must conduct and document an information security risk assessment or SDA of IT systems they own or manage as noted below:

  1. Before a system is placed in production to provide services for the University, and
  2. Whenever a system design change occurs that may alter the risks associated the classification, environment, or operation and may impact the confidentiality, integrity or availability of a system. Data Owners should be notified if such changes have occurred.
  3. Upon contract renewal for hosted systems.
  4. Annually for restricted systems and BIA Immediate systems.
  5. Systems may be combined into a single system risk assessment when warranted based combined risks and controls.

Restricted and BIA Immediate Systems

System Owners of Restricted or BIA Immediate systems must review and update their system risk assessment annually, when system design changes occur, when system ownership changes, and upon contract renewal for hosted services.

Confidential Systems

System Owners of confidential systems must review and update their system risk assessment or SDA when system design changes occur, or when system ownership changes, and upon contract renewal for hosted services.

System Risk Assessment Documentation

System Owners, in collaboration with the Data Owners, must complete or update the System Risk Assessment, in the form provided by the Information Security Office that includes, at a minimum, identification of all risks discovered during the assessment, major findings, risk mitigation recommendations, if any, and may be in the form of an SDA, including named compliance requirements, security responsibilities, and data owner sign-off, until and unless a system risk assessment is deemed necessary.

All information collected or used as a part of the system risk assessment process must be formally documented and securely maintained. New or updated System Risk Assessments are provided to the Information Security Officer upon completion.

Risk Treatment

Risk treatment efforts should be undertaken to mitigate identified high or unacceptable risks, using appropriate administrative, technical and physical security controls.

In the event any assessment identifies inadequate controls or a lack of compliance with controls, a risk treatment will be undertaken, reported to upper management, and tracked until compliance is achieved or mitigating controls have been established and implemented. Risk treatments should take account of the legal-regulatory and private certificatory requirements; the organizational objectives, operational requirements and constraints; and the costs associated with implementation and operation relative to risks being reduced.

Risk treatment decisions must be must be formally documented and securely maintained. Risk treatment decisions are provided to the Information Security Officer upon completion.

External Parties

External parties, including partners, vendors and contractors, are responsible for managing the risks to their information assets that are accessed, processed, communicated with in accordance with the contract and any guidelines provided by the Information Security Office.

Assistance

This Information Security Office is available to assist System Owners in understanding the process and completing the System Risk Assessments or SDAs.

Procedures, Guidelines & Other Related Information

History

Date

Responsible Party

Action

October 2008

CIO/ITAC

Created

October 2009

CIO/ITAC

Reaffirmed

October 2010

CIO/ITAC

Reaffirmed

October 2011

CIO/ITAC

Reaffirmed

September 2012

CIO/ITAC

Revised

December 2012

IT Policy Office

Numbering revised; Security Office revisions

March 2012

CIO/ITAC

Reaffirmed

December 2017 CIO/ITAC Revised
December 2020 IT Policy Office Reaffirmed