Business Analysis and Risk Assessment
Business Analysis and Risk Assessment refer to those practices, technologies and services used
- to identify information resources that are confidential or critical to the University and
- to identify and evaluate the potential security threats, and associated risks, to those resources.
The starting point of establishing effective information technology security is to identify the information resources that are owned or used by the University. Information resources include institutional data, information technology, and associated personnel. Once identified, the University determines which of these resources require protection against unavailability, unauthorized access, or disclosure, based largely on their level of sensitivity. For example, particular information may require protection under federal or state laws or regulation, or the unavailability of a database may adversely affect the ability of the University to accomplish its mission. This process is referred to as business analysis (or business impact analysis).
Once the level of sensitivity of the information resources has been identified through the business impact analysis, the threats to which they are subject need to be identified and evaluated. This process is referred to as a risk assessment. As an example, the probability of each threat event occurring and the resultant impact of that event on the information resources could be assessed during this process. Examples of potential impacts that would adversely affect the University include financial loss, public embarrassment, loss of public confidence, noncompliance to state or federal statutes, and degraded service to users of our systems.
Based on the business impact analysis and the risk assessment, the University determines what types of safeguards are appropriate to address risks. In this manner, the safeguards deployed reflect the true importance of the University's investment in the information resources used to accomplish the University's mission. All implemented safeguards refer back to business impact analysis and risk assessment. Through this process, the University also decides if and when a residual level of risk may be acceptable.
Business impact analysis and risk assessment are not just a one-time task or project, but are rather a tactical operational process. Both internal changes (e.g., changes to technical infrastructure or to applications) as well as external changes (e.g., technology advances, new federal statutes, etc.) could directly impact the level of sensitivity and the threats applicable to information resources. The University, therefore, periodically uses business impact analysis and risk assessment techniques to determine if their security safeguards are relevant and adequate, and then it updates its safeguards accordingly.
[Adapted from materials provided by the Virginia
Alliance for Secure Computing
and Networking (VA SCAN -- see http://www.vascan.org)]
UNIVERSITY Standards for Business Analysis and risk Assessment
- The President of the University of Mary Washington is responsible for the security of the University's information resources. In accord with state policy, the President formally appoints an Information Security Officer (ISO) who is responsible for the development, implementation, oversight, and maintenance of the University's information security program. The President has appointed the Director of Information Technologies Security as ISO.
- The University has established, documented, implemented and maintained an information security policy and program appropriate to its particular business and technology environment (see UMW Information Technology Security Program at http://www.umw.edu/policies/itsecurityprogram). The policy and program is consistent with federal and state regulations and laws.
- Requests for exceptions to any security standards in the University IT Security Program are forwarded for consideration for approval to the director(s) of the division(s) of the Department of Information Technologies with technical expertise on the systems involved. Appropriate directors will advise the ISO on the implications of the request, and the ISO will be responsible for approving or denying the requests, The Vice President for Information Resources serves as the point of appeal regarding the ISO decisions.
- The ISO, in partnership with the University's Internal Auditor and with consultation as appropriate with the senior officers of the institution, updates at least every
three years a business impact analysis and risk assessment throughout
the University (and including relevant partners or vendors) to
- identify various levels of sensitivity associated with the information resources
- identify the potential security threats to those resources
- to determine the appropriate level of security to be implemented to safeguard those resources.
- The University's security programs include protective measures and procedures to ensure that the appropriate levels of confidentiality, integrity and availability of data, information, and systems are sustainable.
- Development, installation and/or changes to the University data environment, technical infrastructure, and information systems are reviewed for security implications by the University's ISO as part of the planning and design process, and are then monitored and coordinated thoroughly during development and implementation. Acknowledgement of the review by the University's ISO are documented and auditable.
- The University's security programs are coordinated and integrated with contingency planning and business resumption activities.