Virginia Tech® home

Information Asset Risk Management


The Information Technology risk assessment and analysis process identifies departmental mission critical business functions, services and data, as well as the information technology related assets required to support them.  An IT risk assessment should be conducted prior to developing or updating a continuity plan.  A business recovery plan addresses how assets will be operational after a disaster and is a plan that can be successfully implemented in a disruptive situation to implement basic services needed to resume business operations.

In accordance with the University Information Technology Security Program Standard, the Office of Converged Technologies for Security, Safety and Resilience (CTSSR) is responsible for implementing university-wide information technology risk assessments (ITRAs). In addition, CTSSR is responsible for reviewing and retaining copies of university departmental IT risk assessments. Further guidance on conducting an ITRA, characterizing and prioritizing IT assets and risk response strategies can be located at the CTSSR IT Risk Assessment Website located in the references below.

  • Having an awareness of how technological risks can impact the day-to-day business activities
  • Completing a departmental business impact analysis/risk assessment
  • Making a commitment to ensure that the department can be prepared for any situation
  • Understanding ITRAs and how to conduct them. This requires the input of both the administrative leaders and information technology experts, and how ITRAs relate to Continuity Plans.
  • Developing a business recovery plan to resume day-to-day operations in the event of a technological disaster.  This is normally done as part of the Departmental Continuity of Operations Plan (COOP).
  • Developing, documenting, maintaining and testing the plan to ensure that day-to-day operations can be resumed within a reasonable timeframe