Risk assessment and treatment

Safeguards for Domain 1 Information Security & Privacy Program

A sound risk assessment strategy must identify, understand, and prioritize risks to information. Information security and privacy risk assessments can be time consuming and costly, so should be performed based on the sensitivity or criticality of the information used in the system or process. Systems that process sensitive information or provide critical services must be assessed much more rigorously than those that do not. The resulting analysis should guide management decisions on which safeguards are needed to address (treat) identified risks.

The overall goal is to implement appropriate safeguards that protect personal and institutional information while enabling the university's mission.

Assessing security and privacy risks

Information has always been at risk. Printed grade books, printed transcripts, student enrollment records, intellectual property, and research data have always been susceptible to eavesdropping, theft, and loss. Information technology is risk additive, allowing information to be shared – or compromised - from anywhere in the world in mere seconds.

An effective risk assessment approach must consider threats inherent in information use while balancing the needs of the university. This assessment then guides the risk treatment approach.

Privacy-related risk assessments are typically called Privacy Impact Assessments (PIAs), and focus on analyzing how personally identifiable information is handled by the business unit.

Classification of Data

The university's Committee of Data Stewards classifies institutional data, and that classification serves as one basis upon which risk assessments should be performed. Information elements or assets may be classified by the appropriate Data Steward into levels, which are based on the confidentiality (the sensitivity as it relates to its inappropriate disclosure) and the criticality (the relative importance of maintaining integrity and availability for business operations) of the information element or asset.

University units that use information not under the purview of the Committee of Data Stewards must be aware of applicable legal, contractual, regulatory, policy, and compliance requirements that govern the information and perform risk assessments appropriately.

Data Classification Inventory

The Committee of Data Stewards maintains an inventory of institutional data elements that have been classified.

Critical Business Process and Services Inventory

As part of Business Continuity Planning, units conduct a business process and services inventory to understand which processes (and thus which information and technology assets) are mission-critical to the survivability of the departmental mission.

Risk Assessments

The University Information Security Office (UISO) provides security risk assessments related to Indiana University's use of information and information technology. UISO will perform these reviews upon request, based on the sensitivity of data being handled by a university unit, or as a result of a security or privacy incident. The goals of these assessments are to help units identify security issues and risks, raise the awareness of responsibilities and risks, and to ensure appropriate resources (e.g., staffing, software, hardware, safeguards) are brought to bear in mitigating these risks. To request a security review, email uiso@iu.edu.

Indiana University Internal Audit is an independent, objective assurance and consulting unit that helps university units accomplish objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. Internal Audit conducts its own risk assessment process at regular intervals, and through executive leadership participation, in order to prepare its audit plan. Internal Audit performs mandatory (legally mandated by federal, state, and public regulatory agencies), scheduled (based on a systematic, risk/exposure methodology), and requested (in response to requests from IU units) audits. Audit reports are shared with unit and university administration and are filed with the Indiana State Board of Accounts.

Treating security and privacy risks

The risk treatment approach must be appropriate given the risks of information exposure, loss, and lack of availability. Many factors may be considered during this process, including:

the university's mission
legislation, regulations, and compliance requirements
addressing the risks compared with the benefit of the activity
operational requirements and constraints

The university may be required to undertake some activities regardless of the level of risk; in these situations, identifying an appropriate risk treatment approach is important.

The risk treatment approach will vary based on the type of activity, may change over time, and may include:

risk reduction - implement safeguards to reduce risks
risk acceptance - recognize and accept risks without additional steps
risk avoidance - deem the activity too risky, even when combined with other treatment options
risk sharing - sharing the economic aspect of risks, usually via insurance or outsourcing

Risk Treatment

The safeguards outlined in the other domains of this Information Security and Privacy Program can be applied to reduce risks.

Arrangements to share financial aspects of risk using insurance are coordinated by the Office of Insurance, Loss Control & Claims.

Arrangements to share aspects of risk with an outsourced party are coordinated by the Office of Procurement Services.

Summary of domain objectives

The primary objectives of this domain are to ensure:

risk assessment and treatment objectives, criteria, and decisions are documented
assessment scope is clearly defined
assessments are methodical, reproducible and performed periodically
risks are identified and prioritized
decisions are made to reduce, accept, avoid, or share identified risks
decisions are guided by a sound risk assessment and treatment process
appropriate safeguards are selected to protect personal and institutional information

Supplemental resources

COSO Enterprise Risk Management --Integrated Framework, 2004 | Committee on Sponsoring Organizations of the Treadway Commission (COSO)
ISO 31000:2009 Risk Management -- Principles and Guidelines | International Organization for Standardization (ISO), 2009
Risk Management Framework | EDUCAUSE/Internet2 Higher Education Information Security Council. Intended to provide high-level guidance for an effective cyber-risk assessment and management process for institutions of higher education, and a model process which can be adapted, as needed, for any institution regardless of size, funding model, or culture.
Risk Management | EDUCAUSE/Internet2 Information Security Guide