Getting Started with IT Risk Assessments in Higher Ed
IT Risk Assessments are a critical component in a mature security program. That being said implementing a program from scratch can be a daunting task faced with obstructions from all sides.
Successfully Implementing an It Risk Program Involves Many Elements
Securing Key Stakeholder Buy In
Understanding Your Immediate and Long Term Goals
Commitment to a Multiyear Process
Ditching the Spreadsheets to Ensure Sustainability and Scalability as Your Risk Program Matures
With clear goals and objectives, implementing an IT Risk Management Program can be straight forward but not necessarily easy. Having a clear goal in mind is essential for success. Are you looking for a first pass 10,000 foot view? Are you fairly sure your campus is doing the right thing or just looking for documentation? Are you up against a deadline for a compliance driven assessment but hoping for benefit beyond just checking-the-box? For the longer term maybe you aspire for a full NIST 800-53 or similar assessment, but know your campus will mutiny if you try to start there. Whatever your goal, having executive buy in for the benefits of a Risk Assessment and/or the compliance requirement is key to securing resources and helping to smooth the inevitable pushback from busy respondents. Furthermore, having a multiyear horizon is critical for more comprehensive assessments as you are able to use early year findings to demonstrate stakeholder value and drive a common language and commitment around risk reduction.
The Five Stages of a Risk Assessment
(Apologies in advance to Kübler-Ross)
“If we don’t assess Risk we don’t have Risk” –Management?
“Why are you doing this?” –Stakeholders
“What if we start with CIS 20 or NIST CSF/ 800-171/ 800-53 P1 controls in year one? Also we can focus first on highest risk departments” –Savvy CISO
“What do you mean you saved over my spreadsheet” –Security/ Risk Officer tasked with executing
“Yeah! – We documented Risk over time and identified key areas to reduce risk”
So If It Is That Painful, Why Do It?
In recent conversations with University CISOs and CIOs, the two most common needs they are reaching out for are:
(1) To Begin to document risk across their campus; and/or
(2) To go deep in a particular area/ function to ensure regulatory compliance (eg, GLBA 314.4.b Risk Assessment for Student Financial Aid).
For campuses looking to document risk near term, the goal may be just an initial snapshot or to start to build towards a framework wide assessment. They may be fairly confident that their stakeholders are managing risk, but have no documentation to demonstrate this. Alternately they may have no idea how risk is being managed and/or mitigated beyond their immediate purview. These campuses often have some overarching framework in mind (eg, high level CIS 20 or full NIST 800-53/CSF). Even when a full assessment is desired they are usually looking to get there over time, starting with a smaller subset of questions and/or focusing first on the highest risk units/departments. In subsequent years, they intend to expand the question set and/or units covered to achieve a broader campus-wide assessment of their preferred framework. The catalyst to pursuing Risk Assessment near term include research universities that are increasingly required to document CUI compliance through NIST 800-171 or NIST 800-53 Risk Assessments as well as schools that need to comply with campus, system, or state/ provincial, federal requirements for various GLBA, HIPAA, NIST, Privacy Law, and/or COBIT Assessments.
Asset Inventory and Classification
The starting point for Risk Management under most frameworks begins with inventory and classification of your campus’ data and systems. Many campuses incorporate Asset Inventory and Classification as the first step of the Risk Assessment process, starting with a bottom up approach that begins at the Asset/ Host level. If this is the case on your campus it is important to consider how Risk Assessment tools can help automate and organize your Asset Inventory and Classification process whether they be at the campus wide or department level.
Spreadsheets & Beyond
Many if not most Risk Assessment efforts begin with spreadsheets. Often, these are built by a single individual who is tasked with managing large lists of controls, questions or other narrow and broad focused data points. A spreadsheet can be a useful starting point for assessing a single framework or set of questions, especially for a small number of stakeholders at a single point in time. However as Risk Assessments get more complicated spreadsheets struggle to scale and the sustainability of the process breaks down. This occurs as policy and framework specific requirements evolve resulting in questions sets that are increasingly difficult to manage and keep up to date. Additionally the scope of the Risk Assessment can grow rapidly to require information from other stakeholders across campus increasing manual work to initiate, track and capture responses. Add to the complexity that Risk Management is an continuous process rather than a one and done event and it’s easy to see how spreadsheets quickly become overly complex, time consuming and difficult to manage. Not to mention accidental data corruption or outright loss.
Alternatively there are software solutions that can automate and streamline framework selection, question and response management, asset inventory and classification, as well as reporting capability to quickly identify areas for focus, outliers and trends, and document risk over time. When evaluating technology solutions it is important to ensure the solution aligns with your specific goals and will with within the unique aspects of Higher Education.
Well this post got a little more in depth than the overview initially intended. Hopefully this post provided a good overview and actionable starting point to kicking off a Risk Assessment at your campus and didn’t scare you away. The most important part of Risk Assessments is to start somewhere. In other words – get an initial question set with an initial group of key stakeholders/ systems. From there, you can expand over time building off the momentum of those initial learning.
Are you kicking off or expanding a Risk Assessment program at your campus this year? If so, let us know in the comment section? What is driving your activities and approach? What considerations matter most to your campus?
The Hardest Part of Risk Assessment Is Getting Started
If you would like more information about Risk Assessments in Higher Ed or about using ISORA for your Risk Assessment, please contact SaltyCloud for more information. And be sure to check back weekly between now and the EDUCAUSE Security Professional Conference for new blog posts specifically regarding Risk Assessment in Higher Ed.