Old Dominion University
Information Technology Risk Assessment For
Risk Assessment Report
Risk Assessment Annual Document Review History
The Risk Assessment is reviewed, at least annually, and the date and reviewer recorded on the table below.
Review Date\Comments / Revieweri
Risk Assessment Report
Table of Contents
1 INTRODUCTION 1
2 IT SYSTEM CHARACTERIZATION 2
3 RISK IDENTIFICATION 6
4 CONTROL ANALYSIS 8
5 RISK LIKELIHOOD DETERMINATION 11
6 IMPACT ANALYSIS 13
7 RISK DETERMINATION 15
8 RECOMMENDATIONS 17
9 RESULTS DOCUMENTATION 18
List of Exhibits
Exhibit 1: Risk Assessment Matrix 18
List of Figures
Figure 1 – IT System Boundary Diagram 4
Figure 2 – Information Flow Diagram 5
List of Tables
Table A: Risk Classifications 1
Table B: IT System Inventory and Definition 2
Table D: Vulnerabilities, Threats, and Risks 5
Table E: Security Controls 6
Table F: Risks-Controls-Factors Correlation 8
Table G: Risk Likelihood Definitions 9
Table H: Risk Likelihood Ratings 9
Table I: Risk Impact Rating Definitions 13
Table J: Risk Impact Analysis 13
Table K: Overall Risk Rating Matrix 15
Table L: Overall Risk Ratings Table 15
Table M: Recommendations 17
i
Risk Assessment Report
1 INTRODUCTION
Participants: Risk assessment participants, their IT roles (System Owner, Data Owner, etc.), roles in their department and any specific role taken in the System Risk Assessment.
Assessment Techniques: The techniques used to gather the necessary information (the use of tools, use of questionnaires, vendor input, area expertise input, system component documentation).
Table A: Risk Classifications
Risk Level / Risk Description & Necessary Actions /High / The loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets or individuals.
Moderate / The loss of confidentiality, integrity, or availability could be expected to have a serious adverse effect on organizational operations, organizational assets or individuals.
Low / The loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect on organizational operations, organizational assets or individuals.
2 IT SYSTEM CHARACTERIZATION
System Inventory and Definition
IT System Inventory and Definition DocumentI. IT System Identification and Ownership
IT System ID / IT System Common Name
Owned By
Physical Location
Major Business Function
System Owner
Phone Number / System Administrator(s)
Phone Number
Data Owner(s)
Phone Number(s) / Data Custodian(s)
Phone Number(s)
Other Relevant Information
II. IT System Boundary and Components
IT System Description and Components / Hardware Components
Software Components
Intended Audience
IT System Interfaces / End User Interfaces
Administrative Interfaces
Database Connections
Loads, Extracts or Other Connections
IT System Boundary / Data Boundary
Physical/ Hardware Boundary
Support Boundary
III. IT System Operability and Agreements
External Agency or Hosting Vendor / IT System Name / IT System ID / IT System Owner / Interoperability Security Agreement \ Terms and Conditions
IV. IT System and Data Sensitivity
Type of Data / Sensitivity Ratings*
Data
Classification / Confidentiality / Integrity / Availability
Overall IT System Sensitivity Rating and Classification / Overall IT System Sensitivity Rating
Must be “high” if sensitivity of any data type is rated “high” on any of the criteria
High Moderate Low
IT System Classification
Must be “Sensitive” if overall sensitivity is “high”; consider as “Sensitive” if overall sensitivity is “moderate”
Sensitive Non-Sensitive
V. IT System Management Practices
ITS IT Standards
http://ITS.odu.edu/policies/index.php / Acceptance of ITS Standards / If No, Describe
Account Management / Yes / No
Backups Schedules / Yes / No
Server Management / Yes / No
IT Security Program / Yes / No
Additional Information:
Compliance:
*For Data that is protected by law, regulation, or compliance requirement, document the applicable laws, regulations or compliance requirements for each type of covered data:
System Diagram:
Description or diagram of the system and network architecture, including all components of the system and communications links connecting the components of the system, associated data communications and networks:
3 RISK IDENTIFICATION
Identification of Vulnerabilities, Threats and Risk
Vulnerabilities and threats were identified by what means:
The way vulnerabilities combine with credible threats to create risks is identified Table D.
Table D: Vulnerabilities, Threats, and Risks
RiskNo. / Vulnerability / Threat / Risk of Compromise of / Risk Summary /
1 / Patches to correct flaws in application software not installed. / Computer crime
Malicious use
System compromise
Unauthorized access / Confidentiality and integrity of what> data. / Exploitation of flaws in application software could result in compromise of confidentiality and integrity of what data.
2 / Patches to correct flaws in operating system software not installed. / Computer crime
Malicious use / Confidentiality and integrity of what> data. / Exploitation of flaws in operating system software could result in compromise of confidentiality and integrity of what data.
3 / Remote access to server console not properly monitored. / System compromise
Unauthorized access / Confidentiality and integrity of corporate data. / Remote access currently set to… <specify current controls>. If these controls are not in place, unauthorized access could result in compromise of confidentiality and integrity of what data.
4 / Loss of firewall protection. / Computer crime
Malicious use
System compromise
Unauthorized use / Confidentiality and integrity of corporate data. / This system sits <where relative to campus firewalls>, failure of this (or these) firewalls can result in increasing the likelihood of other risks being exploited.
5 / Internal access to server. / Computer crime
Malicious use
Unauthorized use / Confidentiality and integrity of corporate data / Loss or theft of data from server could result in compromise of confidentiality and integrity of what data.
6 / Hardware Issues/Equipment Failure or loss / System Unavailable / Inability to access the system. / Loss of hardware or equipment would result in the entire system or some portion of the system being unavailable.
7 / Single Point of Failure / System Unavailable / Inability to access the system. / Loss of any portion of the system would result in the entire system or some portion of the system being unavailable.
8 / Poor Systems Administration Practices External to <my administrator(s)>. / Computer crime, malicious use, system compromise, unauthorized access / Confidentiality and integrity of corporate data. / Poor administration practices could result in compromise of the system and expose <what> data to a risk of loss of availability, confidentiality or integrity.
9 / Key Person Dependency / System Unavailable / Inability to adequately support the application. / Loss of key person could result in system downtime if a software issue occurred, or the inability to enhance or maintain this system’s functionality.
10 / Loss of Critical Documentation, Data or Software / Computer crime, malicious use, system compromise, unauthorized access / Confidentiality and integrity of corporate data. / Loss of documentation, software or data could result in data compromise and temporary disruption in service, or inability to restore services which have been lost.
11 / Clear Text Transmission of Critical Data / Computer crime, malicious use, system compromise, unauthorized access / Confidentiality and integrity of corporate data. / Capture of clear text data could result in identity theft and /or system access control issues.
12 / Data Disclosure / Computer crime, malicious use, system compromise, unauthorized access / Confidentiality and integrity of corporate data. / Disclosure of sensitive personal information could result in identity theft and/or system access control issues.
13 / Inadequate Customer Practices / Computer crime, malicious use, system compromise, unauthorized access / Confidentiality and integrity of corporate data. / Data corruption or loss, or implementation of applications with errors could result from improper or incomplete testing of system or application changes
14 / Inadequate Database Support / Computer crime, malicious use, system compromise, unauthorized access / Confidentiality and integrity of corporate data, inability to access and recover corporate data. / Data corruption or loss could result from improper or incomplete testing of system changes or system management /monitoring.
15 / Inadequate Applications Support / Computer crime, malicious use, system compromise, unauthorized access / Inability to adequately support the application. / Data corruption or loss could result from improper or incomplete testing of the application changes.
16 / Software Issues from Vendor / Computer crime, malicious use, system compromise, unauthorized access / Confidentiality and integrity of corporate data and ability to provide service to the campus. / Software issues caused by the vendor could lead to data corruption or mission critical system disruption or dysfunction.
17 / Poor Password Practices / Computer crime, malicious use, system compromise, unauthorized access / Confidentiality and integrity of corporate data. / Poor password practices could allow improper system access which could result in data theft, data corruption, application system alteration or disruption.
18 / System Compromise / Computer crime, malicious use, unauthorized access / Confidentiality and integrity of corporate data. / Compromise system could result in data theft, data corruption, application system alteration or disruption.
19 / Lack of Sufficient Operational Policies / Computer crime, malicious use, system compromise, unauthorized access / Confidentiality and integrity of corporate data. / Lack of or the improper execution of sufficient operational polices could result in data theft, data corruption, application system alteration or disruption.
20 / Poor Physical Security / Computer crime, malicious use, system compromise, unauthorized access / Confidentiality and integrity of corporate data. / Poor physical security could allow personal access to staff workstations or Computer Center assets which could result in data theft, data corruption, application system alteration or disruption.
21 / Functional Lockout / System unavailability / Inability to access the system. / The inability of staff to access the computing infrastructure or applications could result in the inability to access the system.
22 / Environmental Issues / Loss of AC or power. / Inability to access the system. / Environmental issues could result in the inability to access and maintain server hardware.
23 / Natural Disaster / Hurricanes, floods, and other weather phenomenon. / Inability to access the system. / Natural disasters could interrupt power to the Computer Center and make it impossible for staff to support the server environment thus disabling access to <what>.
24
25
4 CONTROL ANALYSIS
Table E documents the IT security controls in place and planned for the IT system.
Table E: Security Controls
Control Area / In-Place/Planned / Description of Controls /
1 Risk Management
1.1 IT Security Roles & Responsibilities / In Place / ODU Standard 02.2.2 – IT Security Roles and Responsibilities
1.2 Business Impact Analysis / In Place / ODU Standard 02.3.2 – Business Impact Analysis
1.3 IT System & Data Sensitivity Classification / In Place / ODU Standard 02.4.2 – Data Classification Standard
ODU Policy 3504 – Data Classification Standard
1.4 IT System Inventory & Definition / ODU Standard 02.5.2 – System Inventory Standard
1.5 Risk Assessment / ODU Standard 02.6.2 – Risk Assessment Standard
1.6 IT Security Audits / In Place / ODU Standard 02.7.2 – Security Audit Standard
2 IT Contingency Planning
2.1 Continuity of Operations Planning / ODU Standard 03.2.2 – Continuity of Operations Planning Standard
2.2 IT Disaster Recovery Planning / ODU Standard 03.3.2 – Disaster Recovery – Business Continuity Plan Standard
2.3 IT System & Data Backup & Restoration / ODU Standard 03.4.2 – IT System and Data Backup and Restoration Standard
3 IT Systems Security
3.1 IT System Hardening / ODU Standard 04.3.3 – Server Management Standard
3.2 IT Systems Interoperability Security / ODU Standard 01.6.0 – IT System Interoperability Security Standard
3.3 Malicious Code Protection / ODU Standard 04.5.2 – Malicious Code Protection Standard
3.4 IT Systems Development Life Cycle Security / In Place / ODU Standard 04.6.2 – Project Management Standard
ITS Procedure 04.1.1 – IS&DA Project Management Procedure
4 Logical Access Control
4.1 Account Management / ODU Standard 05.2.2 – Account Management Standard
ITS Procedure 05.2.2 – Account Management Procedure
4.2 Password Management / ODU Standard 05.2.2 – Account Management Standard
ITS Procedure 05.2.2 – Account Management Procedure
4.3 Remote Access / ODU Standard 05.4.1 – Remote Access Standard
5 Data Protection
4.4 Data Storage Media Protection / ODU Standard 06.2.2 – Data Storage Media Protection Standard
4.5 Encryption / ODU Standard 06.3.2 – Encryption Usage and Key Escrow Standard
6 Facilities Security
6.1 Facilities Security / ODU Standard 07.2.1 – Facilities Security Standard
7 Personnel Security
7.1 Access Determination & Control / In Place / ODU Standard 08.2.2 – Access Determination and Control Standard
7.2 IT Security Awareness & Training / In Place / ODU Guideline 08.3.2 – Security Training Program
7.3 Acceptable Use / In Place / ODU Standard 08.4.2 – Acceptable Use Standard
8 Threat Management
8.1 Threat Detection / In Place / ODU Standard 09.2.2 – Threat Detection Standard
8.2 Incident Handling / In Place / ODU Standard 09.4.2 – IT Security Incident Handling Standard
8.3 Security Monitoring & Logging / ODU Standard 09.3.2 – Security Monitoring and Logging Standard
9 IT Asset Management
9.1 IT Asset Control / In Place / ODU Standard 10.2.1 – IT Asset Control Standard
9.2 Software License Management / ODU Standard 10.2.2 – Software License Standard
9.3 Configuration Management & Change Control / In Place / ODU Standard 10.4.1 – Change Management Standard
Table F correlates the risks identified in Table D with relevant IT security controls documented in Table E and with other mitigating or exacerbating factors.
Table F: Risks-Controls-Factors Correlation
RiskNo. / Risk Summary / Correlation of Relevant Controls & Other Factors1 / Exploitation of flaws in application software could result in compromise of confidentiality and integrity of corporate data. / ITS Server Management Standard requires that application software changes be applied after undergoing a risk-benefit analysis. Patches and updates are obtained only from vendor and applied on an as-needed basis.
2 / Exploitation of flaws in operating system software could result in compromise of confidentiality and integrity of corporate data. / ITS Server Management Standard requires that operating system changes be applied after undergoing a risk-benefit analysis. Patches and updates are only to be obtained only from reputable and confirmed sources and applies on an as-needed basis.