Q: What is the criteria for University Information Security scheduling a risk assessment A: Criteria include the prevalence of private data as identified in the Private Data Inventory, critical services (such as life and safety) and potential impact to the University.
Q: How does a department or unit prepare for a risk assessment? A: Review the information security standards, identify gaps in current processes, prioritize gaps, and communicate the schedule and expectations to staff.
Q: Who determines the scope of a risk assessment? A: University Information Security works with department or unit leadership to determine the scope of each assessment.
Q: How long do assessments take? A: The time commitment varies based on scope and complexity, but typically they take weeks not months.
Q: Is a gap analysis different from a risk assessment? A: Both a gap analysis and a risk assessment can involve people, processes or technology. A gap analysis is required for departments or units to address gaps between current practices and the information security standards even if a risk assessment is not scheduled.
Q: How are risks evaluated or impacted when departments use IT’s Services? A: If a department or unit is an IT Service customer, some portion of risk ownership may be transferred to the IT Service, e.g. platform-level infrastructure, but the department or unit continues to be responsible for application-level risks.
Q: What happens if a department or unit is not contacted by UIS to have a risk assessment? A: Departments or units should complete a security plan to prioritize risk management efforts, but can request a risk assessment at any time.
Q: Who pays for risk assessments? A: Scheduled risk assessments are funded by University Information Security.