Getting Started with IT Risk Assessments in Higher Ed
IT Risk Assessments are a critical component in a mature security program. That being said implementing a program from scratch can be a daunting task faced with obstructions from all sides.
Successfully implementing an IT risk program involves many elements
- Securing key stakeholder buy-in
- Understanding your immediate and long term goals
- Commitment to a multiyear process
- Ditching the spreadsheets to ensure sustainability and scalability as your risk program matures
With clear goals and objectives, implementing an IT risk management program can be straight forward but not necessarily easy. Having a clear goal in mind is essential for success. Are you looking for a first pass 10,000 foot view? Are you fairly sure your campus is doing the right thing or just looking for documentation? Are you up against a deadline for a compliance driven assessment but hoping for benefit beyond just checking-the-box? For the longer term maybe you aspire for a full NIST 800-53 or similar assessment, but know your campus will mutiny if you try to start there. Whatever your goal, having executive buy in for the benefits of a risk assessment or the compliance requirement is key to securing resources and helping to smooth the inevitable push-back from busy respondents. Furthermore, having a multiyear horizon is critical for more comprehensive assessments as you are able to use early year findings to demonstrate stakeholder value and drive a common language and commitment around risk reduction.
The five stages of risk assessment
(Apologies in advance to Kübler-Ross)
If we don’t assess risk we don’t have risk.
Why are you doing this?
What if we start with CIS 20 or NIST CSF/800-171/ 800-53 P1 controls in year one? Also we can focus first on highest risk department.
What do you mean you saved over my spreadsheet?
–Security/Risk Officer Tasked with Executing
Yes! We documented risk over time and identified key areas to reduce risk.
So if it’s that painful, why do it?
In recent conversations with University CISOs and CIOs, the two most common needs they are reaching out for are:
- To begin to document risk across their campus
- To go deep in a particular area/function to ensure regulatory compliance (e.g., GLBA 314.4.b Risk Assessment for Student Financial Aid)
Documenting risk near term & over time
For campuses looking to document risk near term, the goal may be just an initial snapshot or to start to build towards a framework wide assessment. They may be fairly confident that their stakeholders are managing risk, but have no documentation to demonstrate this. Alternately, they may have no idea how risk is being managed and/or mitigated beyond their immediate purview. These campuses often have some overarching framework in mind (e.g., high level CIS 20 or full NIST 800-53/CSF).
Even when a full assessment is desired they are usually looking to get there over time, starting with a smaller subset of questions and focusing first on the highest risk units/departments. In subsequent years, they intend to expand the question set and units covered to achieve a broader campus-wide assessment of their preferred framework. The catalyst to pursuing risk assessment near term include research universities that are increasingly required to document CUI compliance through NIST 800-171 or NIST 800-53 risk assessments as well as schools that need to comply with campus, system, or state/ provincial, federal requirements for various GLBA, HIPAA, NIST, Privacy Law, and/or COBIT Assessments.
Asset inventory & classification
The starting point for risk management under most frameworks begins with inventory & classification of your campus’ data and systems. Many campuses incorporate asset inventory & classification as the first step of the risk assessment process, starting with a bottom up approach that begins at the asset/host level. If this is the case on your campus it is important to consider how risk assessment tools can help automate and organize your asset inventory & classification process whether they be at the campus wide or department level.
Spreadsheets & beyond
Many, if not most, risk assessment efforts begin with spreadsheets. Often, these are built by a single individual who is tasked with managing large lists of controls, questions or other narrow and broad focused data points. A spreadsheet can be a useful starting point for assessing a single framework or set of questions, especially for a small number of stakeholders at a single point in time. However, as risk assessments get more complicated spreadsheets struggle to scale and the sustainability of the process breaks down. This occurs as policy and framework specific requirements evolve resulting in questions sets that are increasingly difficult to manage and keep up to date. Additionally, the scope of the risk assessment can grow rapidly to require information from other stakeholders across campus increasing manual work to initiate, track and capture responses. Add to the complexity that risk management is an continuous process rather than a one and done event and it’s easy to see how spreadsheets quickly become overly complex, time consuming and difficult to manage. Not to mention accidental data corruption or outright loss.
Alternatively there are software solutions that can automate and streamline framework selection, question and response management, asset inventory & classification, as well as reporting capability to quickly identify areas for focus, outliers and trends, and document risk over time. When evaluating technology solutions it is important to ensure the solution aligns with your specific goals and will with within the unique aspects of higher education.
Well this post got a little more in depth than the overview initially intended. Hopefully this post provided a good overview and actionable starting point to kicking off a Risk Assessment at your campus and didn’t scare you away. The most important part of risk assessments is to start somewhere. In other words, get an initial question set with an initial group of key stakeholders and systems. From there, you can expand over time building off the momentum of those initial learning.
Are you kicking off or expanding a risk assessment program at your campus this year? What is driving your activities and approach? What considerations matter most to your campus? The hardest part of a risk assessment is getting started.
As you start to focus on the issues discovered during a cybersecurity risk assessment, figuring out how to address them can prove difficult. However, there are a few strategies that can help
Spreadsheets can be a powerful tool for organizing all kinds of things, but they have their limits
In-house and outsourced IT risk assessments both have their advantages and disadvantages. Depending on your institution’s needs, it is important to explore different arrangements