Risk Assessment 101
A risk assessment reviews software, products, and/or services to evaluate the potential for loss or harm as it relates to information security. Any system that creates, receives, maintains, or transmits University-owned sensitive information OR that is considered mission-critical must have a risk assessment.
Risk assessments are completed by or in coordination with the Information Security Office and include:
- reviewing the security measures implemented to ensure that appropriate and current measures (i.e., controls) reduce risk, and
- developing a plan to treat any remaining risk (i.e. acceptance, mitigation, avoidance, transference).
Although assessments follow a standard checklist of items to be completed, many assessments extend beyond the items on the checklist to obtain a more comprehensive view of risk, especially if relevant new threat information emerges during an assessment, which can result in a more time-consuming assessment.
Do I need a risk assessment?
Most likely. Any information system that creates, receives, maintains, or transmits University-owned sensitive information OR that is considered to be mission critical must have a thorough and timely risk assessment of the potential threats and vulnerabilities to the confidentiality, integrity, and availability of that system. An assessment must be completed for the purchase or integration of new technologies and/or if there are changes in the architecture of an existing system that may impact security controls. A mission-critical system is defined, by the system owner, as a system that is so critical to the mission of the business unit that any incident requires immediate attention.
How long does a risk assessment take?
It depends. Although the goal is to complete a risk assessment within five business weeks, turnaround time can vary depending on the complexity of the product, service or solution that needs the risk assessment and the ability of the vendor to provide sufficient information about their security controls. The ISO will work with each customer to understand their timeline and advise them on the appropriate direction to take. That may include recommending that the customer hire a third-party vendor who specializes in risk assessments and whose schedule may better meet the customer’s needs.
What is the outcome of a risk assessment?
The Chief Information Security Officer (CISO) for the University, or a delegate, reviews every risk assessment that is generated by the ISO. Once the CISO is confident that the assessment was thorough and no outstanding questions remain, the CISO makes a recommendation on how to proceed (“recommended,” “not recommended,” “needs additional review”). The results of the assessment are shared with the Data Governance Committee and other stakeholders, including the requestor. This concludes the risk assessment portion of the process from the ISO, but not the approval stage.
The Data Governance Committee weighs in on their comfort with the level of residual risk (risk that remains after appropriate security mitigations) associated with the project. The requestor and Data Governance Committee are ultimately responsible for making the decision on the associated risk and whether or not the purchase may proceed.
What is the difference between a risk assessment and risk acceptance?
Risk acceptance is the act of the Data Governance Committee accepting the level of risk identified by the risk assessment. Risk acceptance lies outside of the purview of the IT Security Office. The ISO does not make decisions on risk acceptance.
How do I request a risk assessment?
You should submit a ticket via ServiceNow to ITS-SECURITY to request a risk assessment. If you do not have a ServiceNow account, submit a ticket by visiting help.unc.edu or calling 919-962-HELP.
Please visit the Risk Assessment Program FAQ.