Risk Assessment Toolkit

RISK ASSESSMENT UPDATE:

All departments, centers, business units and other operating units have completed phase I of the campus-wide risk assessment. Phase II of the risk assessment is completing a department Risk Action Plan.  Click here to find Action Plan forms.  FAQs regarding risk action plans can be found here.

2009 Information Security Risk Assessment Documents

• PDF documents: These documents can be printed and used as working copies Part 1 | Part 2 | Part 3 | Part 4 | Part 5 | Part 6 | Part 7
• Excel Workbook: This is the document that each unit will complete and submit Excel
• Part 3 additional space (Excel): Additional space for listing unit applications Part 3 additional
• Action Plan forms:  The full Action Plan consists of two forms:  the Action Plan worksheet and the signature page.  Both of these form should be completed and returned to the Information Security Office at CIO-ISO@email.arizona.edu.  Please contact the Information Security Office at 621-UISO (8476) if you have any questions or concerns.
  • Action Plan Worksheet Template (Excel) -- NOTE:  The column provided for the proposed mitigation strategy contains the original recommendations provided to units for the high priority items listed.  You can replace this information with your own strategy.
  • Action Plan signature page Word | PDF

What is risk assessment?

Information security risk assessment involves identifying and assessing risks to confidentiality, integrity and availability of information and information systems. A typical self-assessment involves an extensive questionnaire with defined control objectives and techniques derived from requirements and best practices found in statute, policy and guidance on information security. The process measures information systems against these requirements and identifies gaps in meeting them. Repeat assessments measure progress toward them.

The Information Security Office will facilitate a risk assessment in academic and business units throughout the University during Summer 2009.

Why is a risk assessment being conducted?

A risk assessment is a prerequisite to the formation of strategies for developing, implementing and maintaining an information security posture. The need for risk assessment is emphasized by:

• Risk Assessment Standard
• Arizona Board of Regents Policies 9-201 (General Policy) & 9-202 (University Responsibilities)
  
• State Office of the Auditor General Performance Audit Report
• Health Insurance Portability and Accountability Act (HIPAA), for both HIPAA covered entities and business associates
• Certain grants and governmental partnerships

When was it conducted?

• Beginning on or after July 1, 2009
• Return to UISO by August 31, 2009 (complete Risk Assessment Procedure Steps 1-4)

How was it conducted?

• Overview Presentation: PDF | Video (requires UA NetID; if you have trouble viewing, try Internet Explorer)
• Overview Handout (PDF)
• Risk Assessment Procedure

Inventory Resources (optional freeware)

• Lansweeper - Network Inventory for Windows
• OCS Inventory NG - Open Computer and Software Inventory Next Generation
• Spiceworks - IT Management Software
• Easy-to-use script for Windows AD

Frequently Asked Questions