Home » CIO Blog » Risk Assessment

Risk Assessment

CIO Blog
Risk Assessment

Dear Colleagues,

Today’s IT environment is changing more rapidly than at any time before. In fact many of the technologies that we now take for granted were not in existence even 5 years ago. Consider the iPad and the wireless device
onslaught of these years since we installed wireless across campus. We built a high capacity infrastructure that is now crippled by BYOD. Everyone has more than one wireless device and they are all “on” at the same time. We have over 100,000 devices that connect to our network and that is rather troublesome. It affects not only our performance but is a significant security risk. This brings me to a point for consideration because not only has our IT infrastructure become more taxed but our security responsibilities have become much broader.

In order to address the security concerns OIT, last fall, hired Paco Diaz who came to us with an extensive IT auditing background. We immediately began the process of evaluation of our IT security risks through a process of Risk Management and Assessment. This represents a strategy to detect and prevent, or at least minimize the effects of serious risks associated with the management of information assets, proprietary information and intellectual property. The process is rather detailed and involves assessing and evaluating risks, implementing risk mitigation based upon severity, and measuring the results of the mitigation. It is a process that becomes an on-going part of the development of a critical security tool within our organization.

It is important for all of us to understand the value of this risk assessment. Failure of any institution to perform a thorough and honest risk assessment or to act appropriately on the findings of an assessment represents a breach of responsibility for the executive leadership of OIT as well as UA. One of the most critical elements of an assessment such as this is that it does not represent a direct cost but rather an indirect one; i.e. at least for UA. We have heavily invested in security and networking jointly as well as in our data centers. As an indirect cost it will weigh heavily on you, the staff of OIT. Documentation of processes, the development of policies and
procedures, and the implementation of these means a change in the culture and an added mandate from the Executive Team.

We have completed a first phase draft of the Risk Assessment tool and populated it with 302 risk scenarios that map into NIST (the National Institute of Standards) and CCA (Consortium for Cyber Security Action) critical control elements. These are the control elements defined by NSA, CIA, FBI, and SANS. We have also identified contributing and mitigating risk factors and the estimated mitigation efforts for the scenarios.

An estimate of residual risk is used to indicate how effective the mitigation is expected to be. The distribution of risks is indicated below and is based on the Risk Management process.

riskassess

Notice that the security, compliance, and operational risks are predominate and that many of these relate to the need for the establishment of enforceable policies and procedures.

Our assessment will be presented to the Property and Causalities Committee of The Board of Trustees for the February meeting. It is an exciting and demanding time and I know we are willing to be at the forefront on IT Security!

Security Alerts

Extortion Email Schemes

The FBI has released a public service announcement regarding extortion attempts via email. From the PSA: The recipients are told that personal information, such as their name, phone number, address, credit... Read More

Phishing Email: “IT DESK”

Some users may have received an email with the subject “IT DESK” yesterday evening. As always, be on the lookout for any email that may be attempting to steal your... Read More

Phishing Attack Titled “RE: PASSWORD MANAGER”

Early this afternoon, some faculty and staff received an email titled: “RE: PASSWORD MANAGER” This is an attempt to steal usernames and passwords and possibly infect your system with malicious code. Keep in mind... Read More

Scheduled Outages

Disaster Recovery Exercise May 15 – 22

The University of Alabama has an off-campus, disaster-recovery data center in a secure facility in Atlanta. On May 15th, the Office of Information Technology will begin a disaster-recovery exercise and... Read More

myBama, Banner, and Services Unavailable April 24

The Office of Information Technology will be installing the quarterly Oracle patch on Sunday, Apr. 24, from 6 a.m. until 10 a.m. The following services will not be available during... Read More

Banner Unavailable on Sunday, April 17

OIT will be implementing a Banner Bundle upgrade on Sunday, April 17th, from 6 a.m. to 10 a.m. myBama will be available during the upgrade, but channels that connect to... Read More

Known Issues

The Known Issues Page is a checkpoint for our IT partners across campus. The page lists software compatibility issues and known fixes.