Risk Assessment in Higher Ed: What Are Your Goals?
Preparation is a key step in implementing any Risk Management Plan. Last week we briefly discussed determining up front what are you trying to accomplish from your risk assessment: snapshot, documentation, compliance box check, roadmap to reduce future risk/improve security posture etc. Prepare is the important first step in the NIST Risk Management Plan (NIST 800-37).
Among other things preparation includes determining the scope of the risk assessment including: What department and systems are you planning to assess? What frameworks you are going to use? What controls are you going to assess? What technology are you going to use to implement the Risk Management process? What output will the process yield and how do you intend to use it?
Notably in the last two months, we have had a significant increase in the number of campuses asking about specific compliance driven assessments. These include a GLBA 314.4(b) Risk Assessment for FY’18 US Department of Education Audit Requirement for schools that participate in Federal Student Aid program. While compliance may be driving the short term objective it is important to maximize the value of your efforts by determining appropriate longer term goals as well.
Many schools are looking at specific compliance assessments as a starting point for a multi-year phased approach for implementing broader campus-wide risk assessments. In this case Year 1 serves as a starting point to identify immediate compliance requirements and choose overarching framework. As well as to assess an initial representative set of questions for overarching framework including coverage of compliance requirements. For example, a school may choose an initial NIST 800-53 subset of questions that covers CUI, FERPA and HIPAA focusing in year 1 on critical units/ departments. From there schools will add additional questions and departments each year, building momentum and support from initial wins with the goal of a campus wide NIST 800-53 assessment in year 3+. Alternately, a school may have a pressing need for GLBA 314.4(b), but a longer term objective for/ roadmap to NIST 800-171, CSF or CIS 20.
Cam Beasley, CISO at University of Texas at Austin (UT) reflects on starting a campus wide Risk Assessment program at UT several years ago: “Initially we received lots of ‘feedback.’ It took a couple years for faculty and stakeholders to warm up to it. Scaling up scope and questions sets over time helped, especially when we were able to come back in year 2 and 3 with report outs to stakeholders ‘Here is what we learned…’ A good reporting capability can also help a lot with stakeholder buy in. Reports show progress over time and can help quickly identify areas for focus and quick wins across campus or to align individual departments with the broader institution.”
To help automate the process Cam’s team at UT custom built an application they call ISORA, specifically designed to conduct IT Risk Assessments as well as to standardize and automate the widely distributed Asset Inventory and Classification process. Over the last decade, ISORA has allowed UT to evolve from a handful of questions focused on critical departments and systems to a broad campus wide assessment covering 95k systems in over 175 unique departments. Cam further remarks that “ISORA has grown a lot more mature since initial roll out as we continue to tune, modify and further develop based on stakeholder input.”
So what are your campuses short and long term goals in Risk Assessment? Are you conducting comprehensive campus wide evaluations across a broad risk framework or trying to get a snapshot of risk as a starting point for your Risk Management Plan? What frameworks are you looking to assess? In our next post we will talk about where Risk Assessment fits into a broader Risk Management Plan such as NIST 800-37. Also how campuses can use technology to streamline and automate Risk Management Planning – both to simplify the process and maximize the information generated for improvement of Risk Profile over time.