Information has always been at risk. Printed grade books, printed transcripts, student enrollment records, intellectual property, and research data have always been susceptible to eavesdropping, theft, and loss. Information technology is risk additive, allowing information to be shared – or compromised - from anywhere in the world in mere seconds.
An effective risk assessment approach must consider threats inherent in information use while balancing the needs of the university. This assessment then guides the risk treatment approach.
Privacy-related risk assessments are typically called Privacy Impact Assessments (PIAs), and focus on analyzing how personally identifiable information is handled by the business unit.
Classification of Data
The university's Committee of Data Stewards classifies institutional data, and that classification serves as one basis upon which risk assessments should be performed. Information elements or assets may be classified by the appropriate Data Steward into levels, which are based on the confidentiality (the sensitivity as it relates to its inappropriate disclosure) and the criticality (the relative importance of maintaining integrity and availability for business operations) of the information element or asset.
University units that use information not under the purview of the Committee of Data Stewards must be aware of applicable legal, contractual, regulatory, policy, and compliance requirements that govern the information and perform risk assessments appropriately.
Data Classification Inventory
The Committee of Data Stewards maintains an inventory of institutional data elements that have been classified.
Critical Business Process and Services Inventory
As part of Business Continuity Planning, units conduct a business process and services inventory to understand which processes (and thus which information and technology assets) are mission-critical to the survivability of the departmental mission.
The University Information Security Office (UISO) provides security risk assessments related to Indiana University's use of information and information technology. UISO will perform these reviews upon request, based on the sensitivity of data being handled by a university unit, or as a result of a security or privacy incident. The goals of these assessments are to help units identify security issues and risks, raise the awareness of responsibilities and risks, and to ensure appropriate resources (e.g., staffing, software, hardware, safeguards) are brought to bear in mitigating these risks. To request a security review, email firstname.lastname@example.org.
Indiana University Internal Audit is an independent, objective assurance and consulting unit that helps university units accomplish objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. Internal Audit conducts its own risk assessment process at regular intervals, and through executive leadership participation, in order to prepare its audit plan. Internal Audit performs mandatory (legally mandated by federal, state, and public regulatory agencies), scheduled (based on a systematic, risk/exposure methodology), and requested (in response to requests from IU units) audits. Audit reports are shared with unit and university administration and are filed with the Indiana State Board of Accounts.
Empowering People Strategic Plan, Recommendation 5 contains Action 17d which highlights Indiana University's need for improved risk assessment and treatment personnel and tools.
Action 17d also highlights Indiana University's need for a central asset tracking product, within which risk assessment surveys can be coordinated.