Departments or units that handle or manage information assets or electronic resources should conduct formal risk assessments to determine what information resources exist that require protection, and to understand and document potential risks from IT security failures that may cause loss of information confidentiality, integrity, or availability. The purpose of a risk assessment is to help management create appropriate strategies and controls for stewardship of information assets.
Successful risk assessments require full support of senior management and must be conducted by teams that include both functional managers and information technology administrators. As business operations, workflow, or technologies change, periodic reviews should be conducted to analyze these changes, to account for new threats and vulnerabilities created by these changes, and to determine the effectiveness of existing controls.
The Educause Risk Assessment Framework (pdf) provides a high-level overview for conducing risk assessments in higher education. The framework includes a phased approach.
Phase 0: Establish risk assessment criteria for the identification and prioritization of assets
Phase 1: Develop initial security strategies
Phase 2: Technological View - Identify Infrastructure Vulnerabilities
Phase 3: Risk analysis - Develop Security Strategy and Plans
The UCOP Risk Assessment Methodology Overview outlines steps for the risk assessment process.
See Risk Assessment Resources for links to other risk assessment information.