Information Security Office rolls out new risk assessment process
The Information Security Office launched a new, streamlined risk assessment process in January 2019.
Two projects, driven by Interim CIO J. Michael Barker and project manager Candace Reynolds, decreased the amount of time spent on risk assessments, a process that the ISO conducts for clients to identify possible threats against sensitive information.
Previously, the risk assessment process could take weeks to months to complete due to the need for constant communication and sharing of information between different parties involved in the process: clients, vendors and data stewards.
The landscape for completing a risk assessment has shifted since the implementation of stricter regulations required by state and federal agencies. Typically, assessments are completed for application or solution purchases, however, the ISO noted increased amounts of research projects and grants needing to be assessed.
“We have seen, for example, a 100% increase in risk assessment requests, year-over-year,” said Information Security Manager Mel Radcliffe. “New assessment requirements have resulted in a shift in how we conduct our assessments and the depth to which we have to gather, and provide, security information,”
Standardized templates are key
The first risk assessment improvement project began in fall 2018 with help from an external vendor in addition to the ISO team, Research Computing and Barker. ISO had conducted risk assessments on a per request basis. However, with increased demand for assessments, the work became tedious and inefficient. The new risk assessment process is designed to introduce a standardized template that reduces time spent on each assessment.
“If a customer is required to complete a risk assessment for an external agency, and they use the ITS system or the Secure Research Workspace, then much of the assessment is already filled out via the template,” said Radcliffe.
ITS Research Computing also played a significant role in this project, providing funding and technical support. Together, the ISO and Research Computing group hired an external vendor in fall 2018, to conduct a general controls review of the ITS information system and the Secure Research Workspace in Research Computing.
In May 2019, ITS completed and delivered the work with the external vendor. The next step is to develop useful templates that can be applied to assessments of solutions that use ITS or Secure Research Workspace resources.
As the project wraps up, the ISO hopes to train IT staff on campus to use the new risk assessment process, which will enable them to conduct their own assessments for requests within their departments and units.
“We also have a living document that we maintain over time as we make changes to these systems,” Radcliffe said.
Reduced duplication of efforts
The second project in fall 2018, led by Reynolds, introduced several changes to the existing assessment process that reduced duplication of effort and decreased the time it takes to gather information from vendors and customers.
Overall, moving toward a new, streamlined risk assessment process has several benefits, not only for the ISO but for the University. The process will increase the number of assessments completed, further worker efficiency, provide quality service for customers, and, ultimately, reduce risk to the University. Also, the extensive assessment needs for researchers will be fulfilled, drawing more research projects to the University.