Home » CIO Blog » Risk Assessment

Risk Assessment

CIO Blog
Risk Assessment

Dear Colleagues,

Today’s IT environment is changing more rapidly than at any time before. In fact many of the technologies that we now take for granted were not in existence even 5 years ago. Consider the iPad and the wireless device
onslaught of these years since we installed wireless across campus. We built a high capacity infrastructure that is now crippled by BYOD. Everyone has more than one wireless device and they are all “on” at the same time. We have over 100,000 devices that connect to our network and that is rather troublesome. It affects not only our performance but is a significant security risk. This brings me to a point for consideration because not only has our IT infrastructure become more taxed but our security responsibilities have become much broader.

In order to address the security concerns OIT, last fall, hired Paco Diaz who came to us with an extensive IT auditing background. We immediately began the process of evaluation of our IT security risks through a process of Risk Management and Assessment. This represents a strategy to detect and prevent, or at least minimize the effects of serious risks associated with the management of information assets, proprietary information and intellectual property. The process is rather detailed and involves assessing and evaluating risks, implementing risk mitigation based upon severity, and measuring the results of the mitigation. It is a process that becomes an on-going part of the development of a critical security tool within our organization.

It is important for all of us to understand the value of this risk assessment. Failure of any institution to perform a thorough and honest risk assessment or to act appropriately on the findings of an assessment represents a breach of responsibility for the executive leadership of OIT as well as UA. One of the most critical elements of an assessment such as this is that it does not represent a direct cost but rather an indirect one; i.e. at least for UA. We have heavily invested in security and networking jointly as well as in our data centers. As an indirect cost it will weigh heavily on you, the staff of OIT. Documentation of processes, the development of policies and
procedures, and the implementation of these means a change in the culture and an added mandate from the Executive Team.

We have completed a first phase draft of the Risk Assessment tool and populated it with 302 risk scenarios that map into NIST (the National Institute of Standards) and CCA (Consortium for Cyber Security Action) critical control elements. These are the control elements defined by NSA, CIA, FBI, and SANS. We have also identified contributing and mitigating risk factors and the estimated mitigation efforts for the scenarios.

An estimate of residual risk is used to indicate how effective the mitigation is expected to be. The distribution of risks is indicated below and is based on the Risk Management process.


Notice that the security, compliance, and operational risks are predominate and that many of these relate to the need for the establishment of enforceable policies and procedures.

Our assessment will be presented to the Property and Causalities Committee of The Board of Trustees for the February meeting. It is an exciting and demanding time and I know we are willing to be at the forefront on IT Security!

Comments are closed.

Security Alerts

September 8, 2015 – Increase in Phishing Attempts

OIT has found a large increase in the number of phishing attempts and compromised student accounts over the 24 hours. To avoid becoming a victim of phishing and to keep... Read More

Phishing Attack – August 27

UA has had a large-scale phishing email that went out to many faculty, staff, and students. The email can be seen below. OIT encourages any users who engaged with the site to... Read More

Phishing Attack – August 24

There is a wide spread phishing/scam attempt by someone impersonating the IT Service Desk and using a Crimson email address. You can view the email below. The University of Alabama will never... Read More

Scheduled Outages

Banner and myBama Unavailable October 11th

The Office of Information Technology will be implementing a Banner Bundle upgrade on Sunday, October 11th from 8:00 a.m. to 1:30 p.m. Please note that this upgrade will extend slightly... Read More

Some Web Services Unavailable Morning of Sunday, September 27th

On Sunday, September 27th from 8am to 10am, OIT will be implementing datacenter network changes that will result in a brief outage of many web-connected services including myBama, StarRez, and... Read More

Full Network Outage – August 2nd

OIT will implement a full network outage on August 2nd from 7 a.m. to 11 a.m. in order to replace outdated routers. Access to the Internet and other network-dependent services... Read More

Known Issues

The Known Issues Page is a checkpoint for our IT partners across campus. The page lists software compatibility issues and known fixes.