When it comes to information security, taking a hard look at your institutional risk may not be easy. But it’s a critical step toward keeping your campus safe.
So what does a risk assessment even look like? What and who are involved? And what are the end goals?
Following are some best practices to help you understand and get started on this valuable endeavor.
1. Get the right people in the room
While IT may lead the charge, your assessment will only have the necessary weight and impact if you engage a range of stakeholders. That’s because, in addition to technology, people and processes are significant risk factors.
Stakeholders to engage include:
Executives: Institutional leaders must set the tone that security involves everyone and that it’s okay to have a frank and honest discussion about possible weaknesses. Executive buy-in will also be crucial once the assessment is complete, and you need to garner adequate resources to address vulnerabilities.
Department heads: In addition to providing access to systems and data, department heads must share ownership for any risks identified.
Finance, HR, and legal: Because you’ll be assessing policies and procedures that govern the use of personal and financial data across all departments, having representatives from finance, HR, and legal involved at every stage is a must.
External auditors: If you have the resources, you may consider hiring an external company to assess or audit your security risk.
It’s also important to include vendor partners and their systems in your assessment. If there are third parties sharing or storing your data, their vulnerabilities might as well be your own.
2. Choose a methodology
There are many methodologies for conducting a risk assessment. Some are open source, some are proprietary, but all aim to answer the same basic questions:
What assets do we need to protect?
Who/what poses a threat to those assets?
What would the impact be if those assets were stolen, damaged, or lost?
What needs to happen in order to minimize our risk?
A good starting place for colleges and universities is the assessment tool created by the EDUCAUSE Cybersecurity Initiative and the Higher Education Information Security Council.
3. Prioritize threats
Not every threat is equally likely to occur, nor will they all have the same level of impact on the institution. If you have limited resources, or are creating a timeline, it can help to locate threats on a map of likelihood vs. impact, so you can begin to prioritize.
The map above shows what this might look like for a sample institution. In the upper right hand corner, the red zone, the institution has listed “credentials for privileged accounts being shared too broadly”—which is highly likely to cause significant impact. Maybe administrator passwords are being shared among multiple users or they are being left unchanged when new staff replace old. Regardless, inadequate control over access and identity rights is a threat the institution must address immediately.
Closer to the center, in the yellow zone, the institution has listed “No due diligence process for 3rd party vendors.” Because there is no known imminent threat, the priority may be slightly lower. But, if the institution’s data were to be compromised due to a partner’s data breach, the impact would still be high. So any delay in addressing this threat implies an acceptance of risk. A map like this helps institutional leaders understand the tradeoffs, so they can have meaningful discussions about their tolerance for risk and allocation of resources.
When discussing possible outcomes, keep in mind that impact can be financial, reputational, operational or all of the above.
4. Make assessments ongoing
Because there are so many factors that impact security—not the least of which is rapidly evolving threats—it’s not enough to conduct a single assessment.
Choose a schedule for regularly updating your assessment. Internal self-assessments should be relatively frequent, while external auditors might be scheduled less often or for specific purposes.
It’s also a good idea to engage regularly with peers and industry workgroups. Staying on top of the latest threats, mitigation techniques, technologies, and best practices is often too much for one institution. Attend cybersecurity events, take advantage of the Higher Education Information Security Council (HEISC)’s extensive online resources, and pay attention to what’s happening in other fields.
When it comes to staying vigilant and ongoing learning, you can’t do too much.