Home » CIO Blog » Risk Assessment

Risk Assessment

CIO Blog
Risk Assessment

Dear Colleagues,

Today’s IT environment is changing more rapidly than at any time before. In fact many of the technologies that we now take for granted were not in existence even 5 years ago. Consider the iPad and the wireless device
onslaught of these years since we installed wireless across campus. We built a high capacity infrastructure that is now crippled by BYOD. Everyone has more than one wireless device and they are all “on” at the same time. We have over 100,000 devices that connect to our network and that is rather troublesome. It affects not only our performance but is a significant security risk. This brings me to a point for consideration because not only has our IT infrastructure become more taxed but our security responsibilities have become much broader.

In order to address the security concerns OIT, last fall, hired Paco Diaz who came to us with an extensive IT auditing background. We immediately began the process of evaluation of our IT security risks through a process of Risk Management and Assessment. This represents a strategy to detect and prevent, or at least minimize the effects of serious risks associated with the management of information assets, proprietary information and intellectual property. The process is rather detailed and involves assessing and evaluating risks, implementing risk mitigation based upon severity, and measuring the results of the mitigation. It is a process that becomes an on-going part of the development of a critical security tool within our organization.

It is important for all of us to understand the value of this risk assessment. Failure of any institution to perform a thorough and honest risk assessment or to act appropriately on the findings of an assessment represents a breach of responsibility for the executive leadership of OIT as well as UA. One of the most critical elements of an assessment such as this is that it does not represent a direct cost but rather an indirect one; i.e. at least for UA. We have heavily invested in security and networking jointly as well as in our data centers. As an indirect cost it will weigh heavily on you, the staff of OIT. Documentation of processes, the development of policies and
procedures, and the implementation of these means a change in the culture and an added mandate from the Executive Team.

We have completed a first phase draft of the Risk Assessment tool and populated it with 302 risk scenarios that map into NIST (the National Institute of Standards) and CCA (Consortium for Cyber Security Action) critical control elements. These are the control elements defined by NSA, CIA, FBI, and SANS. We have also identified contributing and mitigating risk factors and the estimated mitigation efforts for the scenarios.

An estimate of residual risk is used to indicate how effective the mitigation is expected to be. The distribution of risks is indicated below and is based on the Risk Management process.


Notice that the security, compliance, and operational risks are predominate and that many of these relate to the need for the establishment of enforceable policies and procedures.

Our assessment will be presented to the Property and Causalities Committee of The Board of Trustees for the February meeting. It is an exciting and demanding time and I know we are willing to be at the forefront on IT Security!

Comments are closed.

Security Alerts

Student Employment Phishing Emails

Students should be aware that a number of different phishing emails related to employment are currently being sent out. The emails are attempting to steal information. Please review these emails... Read More

Phishing Email: “Faculty Administrator Announcement”

Students may have received a phishing email this morning titled “Faculty Administrator Announcement” with a link that takes users to a page that looks like the myBama login page. This... Read More

September 8, 2015 – Increase in Phishing Attempts

OIT has found a large increase in the number of phishing attempts and compromised student accounts over the 24 hours. To avoid becoming a victim of phishing and to keep... Read More

Scheduled Outages

Banner Unavailable During Sunday, Nov. 15 Upgrade

The Office of Information Technology will implement an Oracle database upgrade this Sunday that will require an outage to Banner from 8 a.m. to 12 p.m. myBama will be available... Read More

Banner and myBama Unavailable October 11th

The Office of Information Technology will be implementing a Banner Bundle upgrade on Sunday, October 11th from 8:00 a.m. to 1:30 p.m. Please note that this upgrade will extend slightly... Read More

Some Web Services Unavailable Morning of Sunday, September 27th

On Sunday, September 27th from 8am to 10am, OIT will be implementing datacenter network changes that will result in a brief outage of many web-connected services including myBama, StarRez, and... Read More

Known Issues

The Known Issues Page is a checkpoint for our IT partners across campus. The page lists software compatibility issues and known fixes.