Risk Assessment Process

What is an information security risk assessment? Why are they important?

A risk assessment involves:

• • Identifying threats and vulnerabilities that could adversely affect the data, systems or operations of UCI.
  • Evaluating current security practices against the requirements in the UCI Information Security Standard (ISS).
  • Creating action plans to remediate prioritized risks identified in the risk assessment questionnaire.
  • Documenting actions and decisions related to approved security exceptions, risk acceptance, residual risk, risk avoidance and risk transference.

In addition to being a required part of our information security program, risk assessments are powerful tools for:

• • Reducing the likelihood of breaches (assuming gaps are addressed).
  • Facilitating communication of risk (and resources required to address) to Unit leadership.
  • Avoiding fines or sanctions due to lack of compliance with external regulations and laws.
  • Increasing awareness of required security practices.
  • Improving operations, and ultimately enhancing UCI’s ability to deliver on its mission.

What needs a risk assessment?

Risk Assessments need to be completed for:

• • Institutional Information (data) and IT Resources (systems) classified at Protection Level 3 and higher. Prioritize risk assessments for Protection Level 4 data and Critical IT Infrastructure and complete them first.
  • Cloud and Supplier services for Institutional Information classified at Protection Level 2 or higher. Prioritize risk assessments for Protection Level 4 and complete them first.
  • Other systems as determined by Unit leadership or the CISO

When do I need to perform a security risk assessment?

A risk assessment (or review/update of a previously completed assessment) is required:

• • Prior to placing critical IT infrastructure or a system classified at P3 or P4 into production, or
  • Once every two years, or
  • Following major changes in the configuration/environment, or
  • On a frequency to meet regulatory, contractual and legal requirements

Who should complete a security risk assessment?

Risk assessments can be completed by anyone familiar with the technical and administrative controls in place for a system. Completed risk assessments must be reviewed and approved by the Unit Information Security Lead (UISL) or their designate. Security risk assessments are launched and managed through our ITRM/GRC tool (OneTrust).

How do I complete a security risk assessment?

1. Select the subject of your assessment. This may be a Unit, department, complex custom system, or 3rd party SaaS application.
   Not sure where to start? For now we are focused on ensuring all P4 assets in your Protected Data & Systems Inventory have been assessed. Take a prioritized approach and focus on the asset with the biggest perceived risk first.
2. Launch and complete the appropriate assessment questionnaire. Detailed instructions for completing questionnaires in our ITRM/GRC tool are below.  Ensure you have an updated Network Diagram and Data Flow Diagram as part of the assessment to help explain the system and identify weaknesses.
3. Evaluate risks surfaced. Risks are automatically generated through the assessment process. Additional risks may be manually added as appropriate.
4. Plan and prioritize remediation.
5. Formally accept risk for those risks that will not be remediated within twelve months. Detailed instructions for tracking risks in our ITRM/GRC tool are below.
6. After completing the risk assessment process, begin to remediate risks.
7. Assess every two years, or upon major changes to the use case, system, or as required by external requirements.

The following is an outline of the security risk assessment experience:

Quick Links

• • Risk Assessment Instructions using OneTrust
  • Risk Workflow Procedures using OneTrust
  • Risk Assessment List (OneTrust)
  • Risk Register (OneTrust)

Need help?

Check out our Facilitated Risk Assessment service.