Getting Started with IT Risk Assessments in Higher Ed
IT Risk Assessments are a critical component in a mature security program. That being said implementing a program from scratch can be a daunting task faced with many obstructions. You might find yourself experiencing the following emotions as you progress toward accepting that a risk assessment must be done.
The five stages of risk assessment
(Apologies in advance to Kübler-Ross)
If we don’t assess risk we don’t have risk.
Why are you doing this?
What if we start with CIS 20 or NIST CSF/800-171/ 800-53 P1 controls in year one? Also we can focus first on highest risk department.
What do you mean you saved over my spreadsheet?
–Security/Risk Officer Tasked with Executing
Yes! We documented risk over time and identified key areas to reduce risk.
So if it’s that painful, why do it?
In recent conversations with University CISOs and CIOs, the two most common needs they are experiencing are:
- To begin to document risk across their campus
- To go deep in a particular area/function to ensure regulatory compliance (e.g., GLBA 314.4.b Risk Assessment for Student Financial Aid)
Documenting risk across campus
For campuses looking to document risk near term, the goal may be just an initial snapshot or to start to build towards a framework wide assessment. They may be fairly confident that their stakeholders are managing risk, but have no documentation to demonstrate this. Alternately, they may have no idea how risk is being managed and/or mitigated beyond their immediate purview. These campuses often have some overarching framework in mind (e.g., high level CIS 20 or full NIST 800-53/CSF).
Going deep in a particular area
Even when a full assessment is desired they are usually looking to get there over time, starting with a smaller subset of questions and focusing first on the highest risk units/departments. In subsequent years, they intend to expand the question set and units covered to achieve a broader campus-wide assessment of their preferred framework. The catalyst to pursuing risk assessment near term include research universities that are increasingly required to document CUI compliance through NIST 800-171 or NIST 800-53 risk assessments as well as schools that need to comply with campus, system, or state/ provincial, federal requirements for various GLBA, HIPAA, NIST, Privacy Law, and/or COBIT Assessments.
It can be difficult to make the choice of what framework to use, but the most important part of risk assessments is to start somewhere. In other words, get an initial question set with an initial group of key stakeholders and systems. From there, you can expand over time by building off the momentum of those initial learnings.
Asset Inventory & Classification
The starting point for risk management under most frameworks begins with inventory & classification of your campus’ data and systems. Many campuses incorporate asset inventory & classification as the first step of the risk assessment process, starting with a bottom up approach that begins at the asset/host level. If this is the case on your campus it is important to consider how risk assessment tools can help automate and organize your asset inventory & classification process whether they be at the campus wide or department level.
Spreadsheets & Beyond
Many, if not most, risk assessment efforts begin with spreadsheets. Often, these are built by a single individual who is tasked with managing large lists of controls, questions or other narrow and broad focused data points. A spreadsheet can be a useful starting point for assessing a single framework or set of questions, especially for a small number of stakeholders at a single point in time. However, as risk assessments get more complicated spreadsheets struggle to scale and the sustainability of the process breaks down. Knowing when to move from spreadsheets to a more purpose-built solution is an inflection point that many experience when using spreadsheets for compliance and assessment activities.
Alternatively there are software solutions that can automate and streamline framework selection, question and response management, asset inventory & classification, as well as reporting capability to quickly identify areas for focus, outliers and trends, and document risk over time. When evaluating technology solutions it is important to ensure the solution aligns with the unique aspects of higher education.
Elements of a successful IT risk program
Successfully implementing an IT risk program involves many elements, but the following list might help you get started:
- Securing key stakeholder buy-in
- Understanding your immediate and long term goals
- Commitment to a multiyear process
- Ditching the spreadsheets to ensure sustainability and scalability as your risk program matures
With clear goals and objectives, implementing an IT risk management program can be straight forward but not necessarily easy. Having a clear goal in mind is essential for success. Are you looking for a first pass 10,000 foot view of are you up against a deadline for a compliance driven assessment but hoping for benefit beyond just checking-the-box? Whatever your goal, having executive buy-in for the benefits of a risk assessment or the compliance requirement is key to securing resources and helping to smooth the inevitable push-back from busy respondents. Furthermore, having a multiyear horizon is critical for more comprehensive assessments as you are able to use early year findings to demonstrate stakeholder value and drive a common language and commitment around risk reduction.
The hardest part of a risk assessment is getting started. There’s no better time than now to begin a sustainable risk assessment process on your campus.
For anyone in the medical field, HIPAA sets the standards for the use and protection of medical information and impacts every organization across the healthcare ecosystem, whether interacting with patients or not. As if the threat (and reality) of breaches wasn’t enough, the regulators behind HIPAA mean business when it comes to compliance.
Regulations can help direct our efforts to where work might need to be done, but risk assessments give us advance notice of exactly where those gaps might be. Using a variety of applicable regulatory frameworks, anyone can shore up their compliance through the use of questionnaire-based risk assessments.
Executing a risk assessment and protecting sensitive consumer information under the New York State Department of Financial Services (NYDFS) cybersecurity regulations