What are risk assessments?
Assessing risks and potential threats is an important part of running any organization, but risk assessment is especially important for IT departments that have control over networks and data. The purpose of IT risk assessment is to help IT professionals identify any events that could negatively affect their organization.
Our job is to identify risks and engage appropriate controls for reduction or elimination of:
- Loss of control to Rice data and IT services
- Loss of integrity to Rice data and IT services
- Accessibility to Rice data and IT services
What do we do?
The Compliance team works internally with various departments and groups within Rice to coordinate our activities. These include evaluating security controls, identifying and assessing risks, proposing risk reduction strategies, quantifying and scoring risks using a risk analysis process. Once the assessment is completed, the results are forwarded to ISO management for approval. If approved, the project is allowed to move forward. Occasionally the service does not meet the risk tolerance requirements and additional work is required. Groups we work closely with include the Office of General Council, Rice Compliance Office, Office of the Registrar, SPARC, Purchasing, and the OIT divisions Enterprise Applications and Project Management Office.
In addition, the compliance group also works internally with ISO on vulnerability assessments, risk analysis of software, service reviews, and deployments of equipment and services. We also help draft and maintain security policies and procedures.
How are risks assessed?
Weighing Risks and Controls
Upon receipt of a risk assessment request, the compliance team will assess the possibility of loss of control, loss of integrity, or loss of access to Rice data and IT services in the use of the service or system being assessed. The risks are identified and quantified. The data exposed in the service or system is evaluate and quantified. These factor are scored and weighed against the existing or proposed security controls to see how they compare. If the controls are on par or outweigh the risks, then the services is scored as moderate or low risk. If the risks outweigh the controls, the service or systems is scored as high risk. In all cases, the scoring is presented to management for review and approval or rejection. In some cases of rejection, the institional decision makers can decide to accept a high risk. In such cases, there may be conditional approval. An example would be to accept a high risk for a short duration, or if it is deemed necessary to achieve a higher goal. Once a decision is made, the compliance team informs the service or systems owner of the outcome. If approval is granted, the service is documented and marked for annual review. If approval is denied, the service owner can discuss options with ISO.