Information Asset Risk Management

Overview

The Information Technology risk assessment and analysis process identifies departmental mission critical business functions, services and data, as well as the information technology related assets required to support them. An IT risk assessment should be conducted prior to developing or updating a continuity plan. A business recovery plan addresses how assets will be operational after a disaster and is a plan that can be successfully implemented in a disruptive situation to implement basic services needed to resume business operations.

University Policy

In accordance with the University Information Technology Security Program Standard, the Office of Converged Technologies for Security, Safety and Resilience (CTSSR) is responsible for implementing university-wide information technology risk assessments (ITRAs). In addition, CTSSR is responsible for reviewing and retaining copies of university departmental IT risk assessments. Further guidance on conducting an ITRA, characterizing and prioritizing IT assets and risk response strategies can be located at the CTSSR IT Risk Assessment Website located in the references below.

Departmental Responsibilities

Having an awareness of how technological risks can impact the day-to-day business activities
Completing a departmental business impact analysis/risk assessment
Making a commitment to ensure that the department can be prepared for any situation
Understanding ITRAs and how to conduct them. This requires the input of both the administrative leaders and information technology experts, and how ITRAs relate to Continuity Plans.

Internal Controls

Developing a business recovery plan to resume day-to-day operations in the event of a technological disaster. This is normally done as part of the Departmental Continuity of Operations Plan (COOP).
Developing, documenting, maintaining and testing the plan to ensure that day-to-day operations can be resumed within a reasonable timeframe