Risk Assessment Program FAQ
What is a Risk Assessment?
A risk assessment is the systematic process of evaluating the potential for loss or harm (risks). The assessment includes 1) reviewing the security measures implemented to assure that those measures (i.e., controls) reduce risk, and 2) developing a plan to treat any remaining risk (i.e. acceptance, mitigation, avoidance, transference).
The objective of a risk assessment is to identify, analyze and prioritize risks to the organization due to a threat (an event or factor which can endanger or destroy an asset — e.g. a new software program). While an assessment can follow a checklist of items to be completed, assessment activity can, and usually does, extend beyond the items on the checklist to obtain a more comprehensive view of risk, especially if relevant new threat information emerges during an assessment, which can result in a more time-consuming assessment. Responsiveness of the department or group being assessed is an essential component of rapidly completing an assessment.
Is a Risk Assessment the same thing as an Audit?
No, it is not. During an audit, an organization’s controls are measured against a standard (internal, contractual or legal). It is, essentially, a control to check whether people are doing what they should be doing based on policy, regulation, contract agreements, etc., whereas an assessment examines risks to the organization (see the previous question). Another difference is that an audit must be performed by an independent party.
When do I need to undertake a Risk Assessment?
The UNC-Chapel Hill Information Security Controls Standard states: “Any information system that creates, receives, maintains, or transmits University-owned sensitive information must have a thorough and timely risk assessment of the potential threats and vulnerabilities to the confidentiality, integrity, and availability before the purchase or integration of new technologies and/or changes in the architecture of an existing system that may impact security controls.”
In addition, if an information system is considered mission critical by the owning business department – regardless of the nature of the information that is created, received, maintained, or transmitted – a risk assessment must be performed.
What is involved in a Risk Assessment?
A risk assessment is performed either by the Information Security Office (ISO), the School of Medicine, or an approved third party vendor who specializes in risk assessments. Information is gathered about the information system and the data that will be used in that system. Security controls are examined to determine if there are gaps (risks). If gaps (risks) are found, an action plan for how those risks may be treated/mitigated must be developed.
Note: For applications associated with the School of Medicine, the assessment will be conducted by the respective security staff in collaboration with the Information Security Office.
How long does a Risk Assessment take?
A risk assessment must be thorough in order to be effective, and the gathering of information may take time. There may be many stakeholders who need to be involved in the process. The assessment effort must be balanced against the timeliness and the business needs of the customer. A typical assessment may take days, weeks, or even months depending on the size, complexity, and scope.
So, while there is no easy answer (“it depends”), the ISO will work with each customer to understand their timeline and advise them on the appropriate direction to take. That may include recommending that the customer hire a third party vendor who specializes in risk assessments and whose schedule may better meet the customer’s needs.
What are the criteria for deciding who performs the Risk Assessment?
There are a number of factors that go into this decision, including:
• Resource availability
• Skill sets
• Ownership of data and/or application
Again, the customer may be advised to hire a third party vendor. The ISO will maintain a list of preferred vendors for this purpose.
Who needs to approve a Risk Assessment?
The Chief Information Security Officer (CISO) for the University, or a delegate, reviews each risk assessment that is generated by the ISO. Once the CISO is confident that the assessment was thorough and no outstanding questions remain, the results of the assessment can be shared with the Data Governance Committee and other stakeholders. The Data Governance Committee will weigh in on their comfort with the level of residual risk (risk that remains after appropriate security mitigations) associated with the project. An exit meeting is scheduled and the assessment is reviewed. The CISO will coordinate and resolve risk treatment decisions with the sponsor and Data Governance Committee.
Is the Risk Assessment process different when using a third party vendor?
In some aspects, yes, it is. When the decision is made by the department to hire an external vendor to do the assessment, the ISO will work with the customer to develop a Statement of Work (SOW) that will be used by the external vendor to conduct the assessment. The ISO has worked with preferred external vendors to ensure that the University’s security controls are assessed. Consequently, the results of the assessment should be similar in nature to those conducted internally.
Instead of working directly with the ISO throughout the life of the assessment, the customer will work with the external vendor. The ISO will consult with the customer to review the results and answer any questions.
How do I request a Risk Assessment?
You should submit a ticket via ServiceNow to ITS-SECURITY requesting a risk assessment. If you do not have a Remedy account, contact help.unc.edu or 919-962-HELP.
We encourage you to contact the ISO as soon as you hear of possible plans to acquire a product or service that, by the above definition, may require a risk assessment. This will provide the best chance to review the project and help determine the appropriate course of action.
If your project arrives at the Procurement office without review by the ISO, the request may not be processed immediately. You will be asked to complete the Data Protection Checklist. If the results indicate that a risk assessment is required, the Procurement office will refer the matter to the ISO.