Risk Assessment 101

A risk assessment reviews software, products, and/or services to evaluate the potential for loss or harm as it relates to information security. Any system that creates, receives, maintains, or transmits University sensitive information OR that is considered mission-critical must have a risk assessment.

Risk assessments are completed by or in coordination with the Information Security Office and may include:

1. reviewing the security measures implemented to ensure that appropriate and current measures (i.e., controls) reduce risk, and
2. developing a plan to treat any remaining risk (i.e. acceptance, mitigation, avoidance, transference).

Although assessments follow a standard checklist of items to be completed, many assessments extend beyond the items on the checklist to obtain a more comprehensive view of risk, especially if relevant new threat information emerges during an assessment, which can result in a more time-consuming assessment.

Do I need a risk assessment?

Most likely. Any information system that creates, receives, maintains, or transmits University sensitive information OR that is considered to be mission critical must have a thorough and timely risk assessment of the potential threats and vulnerabilities to the confidentiality, integrity, and availability of that system. An assessment must be completed for the purchase or integration of new technologies and/or if there are changes in the architecture of an existing system that may impact security controls. A mission-critical system is defined, by the system owner, as a system that is so critical to the mission of the business unit that any incident requires immediate attention.

How should I request a risk assessment?

Please submit a request for “University Data Assistance.” (Bottom of each page at datagov.unc.edu) This will trigger reviews that include the risk assessment. Depending on the type and Tier of the data, the risk assessment will take an appropriate path, and you will be guided through the process. If you have Tier 2 data (or below) and certain other conditions are met, you will receive guidance on performing a self-assessment process. If a full assessment by a Security Risk Analyst is needed, that will be requested for you. 

What is the self-assessment “Express Lane” process?

If your project is appropriate for the self-assessment, you will need to request security documentation from your vendor (you would need to ask for this for a Security Office analyst assessment as well). You will be sent an email with a description of what to ask the vendor for. Then you will need to read what they provide and make a judgment about whether that vendor appears to have a security program in place. Remember, you are responsible for the security of University data and the systems you use. You will also need to be sure that the purchasing process includes data protection in the contract or other agreement. Standard UNC data protection terms are acceptable.

How long does an Analyst risk assessment take?

It depends. Although the goal is to complete a risk assessment within five business weeks, turnaround time can vary depending on the complexity of the product, service or solution that needs the risk assessment and the ability of the vendor to provide sufficient information about their security controls. The ISO will work with each customer to understand their timeline and advise them on the appropriate direction to take. That may include recommending that the customer hire a third-party vendor who specializes in risk assessments and whose schedule may better meet the customer’s needs.

What is the outcome of an Analyst risk assessment?

The Chief Information Security Officer (CISO) for the University, or a delegate, reviews every risk assessment that is generated by the ISO. Once the CISO is confident that the assessment was thorough and no outstanding questions remain, the CISO makes a recommendation on how to proceed (“recommended,” “not recommended,” “needs additional review”). The results of the assessment are shared with the Data Governance Committee and other stakeholders, including the requestor. This concludes the risk assessment portion of the process from the ISO, but not the approval stage.

The Data Governance Oversight Group weighs in on their comfort with the level of residual risk (risk that remains after appropriate security mitigations) associated with the project. The requestor, their unit, and Data Governance Oversight Group are ultimately responsible for making the decision on the associated risk and whether or not the purchase may proceed.

What is the difference between a risk assessment and risk acceptance?

Risk acceptance is the act of the Data Governance Oversight Group accepting the level of risk identified by the risk assessment and other information. Risk acceptance lies outside of the purview of the IT Security Office. The ISO does not make decisions on risk acceptance.

Additional Questions?

Please visit the Risk Assessment Program FAQ.