The Risk Assessment Standard for Information Technology Systems covers all VCCS and college business processes and the related Information Technology infrastructure. 

The Risk Assessment Standard for Information Technology Systems process is applicable to the System Office and all Colleges.

STANDARD

The VCCS Vice Chancellors and individual College Presidents are responsible for conducting a risk assessment of all sensitive information technology systems. The Contingency Planning Coordinator, assigned in the Business Impact Analysis stage of the Contingency Planning and Business Recovery Program, will coordinate the risk assessment process and provide an executive summary to advise all applicable parties of all known threats so that security safeguards can be effectively utilized to minimize the potential for future losses.

• A risk assessment must be conducted every three years. The risk assessment process should be conducted on all new systems as they are acquired.

• An annual self-assessment should be conducted to assess the continued validity of the formal risk assessment.

Once the appropriate worksheets of the Business Impact Analysis Template are complete, an understanding of the systems processing environment should be shown. A risk assessment must be completed for each system classified as sensitive to include:

• The identification of potential threats to a system and the environment in which the system operates.

  • To determine a potential threat to a system it is important to consider all threat sources. These include:

    • Natural Threats such as floods, tornadoes, hurricanes, electrical storms and similar events.

    • Human Threats caused by or enabled by humans that may be intentional or unintentional.

    • Environmental Threats such as long-term power failure, roof leaks, exposure to chemical substances and similar threats.

• A determination of the likelihood the threat will occur.

  • To determine a likelihood of a threat occurring, motivation and capability, the nature of the vulnerability, and the existence and effectiveness of internal controls must be considered. A likelihood level applied to the threat source will assist in determining the likelihood that a potential vulnerability exists. Levels include:

    • High – the threat source is highly motivated and sufficiently capable. Controls to prevent the vulnerability from being exercises are ineffective.

    • Medium – the threat source is motivated and capable but controls are in place that may impede successful exercise of the vulnerability.

    • Low – the threat source lacks motivation or capability or controls are in place to prevent or significantly impede the vulnerability from being exercised.

• The identification and evaluation of vulnerabilities.

  • To develop a list of system vulnerabilities that could be exploited by potential threat sources, an analysis of the vulnerabilities associated with an IT system must be completed.

• The determination of the loss impact if one or more of the vulnerabilities are exploited by a potential threat. The impact of the loss of integrity, availability, and confidentiality have been evaluated in the IT Systems Data and Sensitivity Classification section of the Business Impact Analysis Template and should be referred to during this process as needed.

Risk Mitigation recommendations must also be included in the risk assessment. The goals and mission of the VCCS or college should be considered when selecting the risk mitigation options. This process is addressed during the questionnaire process and options should be selected from the following:

• Aware of risk, need to correct
  • Acknowledgement of the vulnerability or flaw and that, measures will be taken to research controls to correct the vulnerability.
• Aware of risk, risk is acceptable
  • Indication of the acceptance of the potential risk and that the system will continue to operate or that controls may be implemented to lower the risk to an acceptable level.
• Not applicable

Questionnaires are listed below to assist in evaluating the risks and exposures. The VCCS and individual colleges are encouraged to utilize the questionnaires listed below and are encouraged to develop additional questionnaires as deemed necessary to complete the overall risk assessment process.

A brief narrative of each form is included; as well as, a recommendation of the employee position to most appropriate to complete the questionnaire.

This questionnaire collects information on the organizations development and implementation of standards, best practices, and etc. prescribed in the COV ITRM Standard SEC501-01, Information Technology Security Standard.  The individual(s) responsible for coordinating and planning the business recovery effort functions is the recommended candidate to complete this questionnaire. (Contingency Planning Coordinator)

This questionnaire collects information on computers utilized as servers that meet the needs of customers for file, print, application, database, web, mail, and etc. The individual(s) responsible for server administration functions would be the recommended candidate to complete this questionnaire. (System Administrator)

This questionnaire collects information on Local Area Network (LAN).  The individual(s) responsible for the Local Area Network is the recommended candidate to complete this questionnaire. (LAN Administrator)

Contingency Planning and Business Recovery Program, Application Management Questionnaire 

This questionnaire collects information on Application Management.  The individual(s) responsible for application support is the recommended candidate to complete this questionnaire. (Application Support Administrator)

This questionnaire collects information on the Logon procedures in place for all applications and services that are provided.  The individual(s) responsible for the security access to applications and services is the recommended candidate to complete this questionnaire. (Security Administrator)

This questionnaire collects information on the operations and administrative support of software and hardware.  The individual(s) responsible for distribution and support of hardware and software is the recommended candidate to complete this questionnaire. (Operation Support Administrator) 

 Contingency Planning and Business Recovery Program, Enterprise Application Management Questionnaire

This questionnaire collects information on the VCCS or College development and implementation of standards and best practices prescribed in the COV ITRM Standard SEC501-01.  The individual(s) responsible for application support would be the recommended candidate to complete this questionnaire (Application Support Administrator).

Requirement:

The Contingency Planning Coordinator will produce an Executive Summary to advise all applicable parties of all known threats so that security safeguards can be effectively utilized to minimize the potential for future losses. The Executive Summary should include the purpose and scope of the assessment, the manner in which the data was collected (via interviews, questionnaires, etc.), and the risk assessment results.

The risk assessment results must contain a formal written response for all questions where a "No" response was recorded on the questionnaire. This information will be obtained from the individual questionnaire and will include the threat, likelihood, vulnerability, and risk mitigation information. A summary table may be included at the end of each questionnaire category referenced in the Executive Summary. If potential privacy risks are identified, measures need to be taken to avert or mitigate these risks. The nature of these measures must be outlined for each risk.

Additional security controls should be applied to protect against significant risks. Additional control areas are listed below and links are provided to the specific documents which discuss each security control area: