IT/PPS 04.15 - IT Division Risk Management
IT Division Risk Management
IT/PPS No. 04.15
Issue No. 1
Effective Date: 5/01/2018
Next Review Date: 4/01/2019 (EY)
Sr. Reviewer: Vice President for Information Technology
- This policy establishes the Information Technology (IT) Division risk assessment methodology to be applied to information security issues, identified infrastructure deficiencies, audit findings, observations, and recommendations.
Risk Assessment Methodology – a systematic process for describing and quantifying the risks associated with hazardous substances, processes, action or events.
Impact – the effect a single occurrence of a risk will have upon the achievement of the institution’s goals and initiatives.
IRM – Information Resource manager
ISO – Information Security officer
Probability – the probability that a risk will become reality.
Risk Score – The impact and probability ratings are used to create a final risk score.
Risk Register – a repository for all risks identified, including information about each risk (e.g., nature of the risk, reference and owner, and mitigation measures).
GUIDELINES AND PROCEDURES
As issues in an area arise (new audit report, new information security risk assessment, or other process or evaluation that surfaces a potential risk), these items should be categorized by their risk score, which is based upon a combination of probability and impact.
Issues shall be documented, maintained, and managed by each associate vice president, the chief information security officer, or the special assistant to the vice president for Information Technology (VPIT). If the issue is determined to be an information security incident or event, management of the incident will be handled by the Information Security Office or, if classified by the ISO as high risk, the VPIT (Information Resource manager).
The impact shall be classified by one of five values:
Impact Value Impact Description Severe The effect will cause the university to not achieve its goals and initiatives; it is an “institutional show stopper.” Major The effect will cause the component not to achieve its goals and initiatives; it is a “show stopper.” Moderate The effect will cause the institution or component to operate inefficiently or expend unplanned resources to meet goals and initiatives. Minor The effects should be monitored to determine if action is required. Insignificant The measurable effect upon the achievement of institution’s goals and initiatives would be immaterial or insignificant.
The following factors, if pertinent to the risk, may be considered during the assessment of impact: human health and safety, societal or environmental, monetary, business or operations, information technology, information security, public relations, reporting and disclosure, strategic, compliance, and fraud.
The matrix shall classify the probability with one of five values:
Probability Value Probability Description Almost Certain An event is inevitable, or there is a great likelihood that an event will occur. Likely An event is likely to occur. Possible The risk is neither extremely likely nor highly unlikely. The probability of an event is similar to occurrences within the normal course of operations. Unlikely The risk of an event is unlikely. Rare The risk of an event is extremely unlikely or would require a combination of multiple failures.
The following factors, if pertinent to the risk, may be considered during the assessment of probability: history, conflicts of interest, susceptibility to fraud or theft, key changes (including leadership, key personnel, regulations, policies, operating processes, computer systems, software applications, etc.), control activities need improvement, policies and procedures require updates, training, complexity of unit or process.
PROCEDURE FOR CALCULATING RISK SCORE
The impact and probability ratings are used to create a quantitative calculated risk score encompassing a range from 1 to 25 (R = P x I). Higher scores mean increased risk.
Probability Impact Insignificant Minor Moderate Major Severe Almost Certain 5 10 15 20 25 Likely 4 8 12 16 20 Possible 3 6 9 12 15 Unlikely 2 4 6 8 10 Rare 1 2 3 4 5
Risk scores are classified into five categories to assist in determining the need for, or immediacy of, response or action.
Risk Classification Action Required Calculated Risk Score Catastrophic Immediate Action 16 - 25 Critical Urgent Action 10 - 15 Moderate Action Needed 5 - 9 Low Monitor 3 - 4 Insignificant No Action 1 - 2
APPLYING RISK SCORES TO AUDITS AND DEPARTMENTAL RISK ASSESSMENTS
Calculated risk scores should be included, where appropriate, in any risk assessment performed by departments of the IT Division.
Calculated risk scores should be included in response to any audit finding, recommendation, observation, or area of improvement. When appropriate, this risk score shall guide the management response.
Calculated risk scores should be maintained in each IT department’s risk register, which should be updated regularly.
REVIEWERS OF THIS PPS
Reviewers of this PPS include the following:
Position Date Vice President for Information Technology April 1 EY Chief Information Security Officer April 1 EY Assistant Vice President for Information Technology, Business Operations April 1 EY Associate Vice President for Instructional Technologies Support April 1 EY Associate Vice President for Technology Resources April 1 EY Associate Vice President for University Libraries April 1 EY Special Assistant to the Vice President for Information Technology April 1 EY
This PPS has been reviewed by the following individuals in their official capacities and represents Texas State Information Technology policy and procedure from the date of this document until superseded.
Vice President for Information Technology; senior reviewer of this PPS