IT & Cybersecurity Risk Management

The University of Chicago


The University of Chicago, or UChicago, is an R1 university in Chicago, Illinois, that ranks among the top universities in the world. As a leading research institution, UChicago educates over 18,000 students annually.

The Challenge

“Every department at the University of Chicago functions like a state with its own goals, authority, and power. That all creates [often unseen] risk,” says Jessica Sandy, an IT Risk Analyst on the UChicago Information Assurance team, a subset of the larger Information Security team. She’s responsible for several different tasks in the area of IT & Cybersecurity Risk Management, including reviewing contracts, creating policies, training staff, and assessing information security risks.

Although most of UChicago’s IT & Cybersecurity Risk Management is centered around NIST CSF, many of the 45-and-counting units require compliance with differing regulations such as CMMC, DFARS, GLBA, GDPR, FERPA, and more. Highly sensitive environments, like the Biological Sciences Department and the Medical Center, also require compliance with HIPAA. Many of these entities also have their own information security teams that operate separately from Sandy’s team but still collaborate with them.

To make matters more complex, before implementing Isora GRC, everything UChicago did to calculate IT risk was manual–conducted via Qualtrics, outdated Excel spreadsheets, and a homegrown tool that did not cover the entire organization.

It was [a very] time-intensive, manual process. Assessments were all I did for a year.

Sandy goes on to say that UChicago needed a way to ensure that academic freedom and technological development weren’t at odds with one another. On the one hand, “you have to keep up, but you also have to do what you need to stay secure.”

These challenges catalyzed UChicago to search for a platform that easily allowed them to quantify IT & cybersecurity risk across dozens of departments, involve busy department heads, and eradicate inconsistent manual processes that took time and resources away from other dimensions of IT Risk Management.

The Solution

The University of Chicago found their time-saving solution in Isora GRC from SaltyCloud, a lightweight platform designed to enhance cyber resilience by streamlining the burden of information security risk management.

  • Preloaded NIST CSF templates save time and allow UChicago to automate the distribution of their questionnaires and customize them wherever needed across units.
  • Auditable system of record features makes it easy to measure progress and change over time to track even the most granular risk mitigation efforts more effectively.
  • It allows the university to broaden its scope beyond its manual limitations without the extra bells and whistles, the “overkill,” of the behemoth competitors they considered.
  • Ongoing support from the SaltyCloud team provides a partner in growth as they scale their process and expand their use cases outside of IT.

It’s easy to scale, and the time to value is great. It only took us a month to get what manually took us eight months.

Isora GRC also makes it easy for Sandy’s team to remain flexible and iterate to stay ahead of constantly evolving regulations and cyber threats.

The Benefits

Since UChicago adopted Isora GRC, Sandy and her team have observed numerous positive outcomes in their workflow. With Isora GRC, the University of Chicago can:

  • Remain flexible and able to iterate on assessments efficiently as new data points illuminate the unknown.
  • Able to extract assessment data easily for deeper analysis, from dense, convoluted spreadsheets to insightful reports.
  • Regain valuable time spent on manual processes to focus on new risk dimensions.
  • Obtain better data for more strategic conversations with department heads and UChicago leadership.
Other Relevant Content

Say hello to powerfully simple GRC

The easier solution for mitigating risk, improving compliance, and building resilience