2015

Information Technology
Risk Assessment Template

Introduction
Virginia Tech's Office of Converged Technologies for Security, Safety, and Resilience (CTSSR)
recommends that university departments conduct an Information Technology Risk Assessment
(ITRA) on an annual basis. After the initial ITRA is conducted, an annual review resulting in
revisions to the previous year’s report is acceptable.

New for 2015 is Step 1a, an evaluation of critical security controls (CSC) from an organizational
perspective. These controls are considered the most effective measures for detecting, preventing,
responding and mitigating the most common IT security risks.

Step 4 has been updated to provide improved risk response reporting. Step 5 has been updated to
include a new section (5a) for monitoring the status of previously proposed risk solutions.
 
Please be sure to access the ITRA website to download the most current versions of forms and
templates, and follow the steps outlined in this document to complete an ITRA for your
organization.

Submit your completed report as an attachment to [email protected]. If you have questions

about this process, you may also address them to [email protected], or call Brenda van
Gelder (1-1853) or Jean Plymale (1-2270).

CTSSR IT Risk Template – February 2015 1

 Information Technology Risk Assessment
2015

Table A: Basic Identifying Information / Management Certification

The ITRA process can be conducted for a
Organizational Area or Department single department or it can include several
and Senior Administrative departments in a common area (such as a Vice
affiliation (e.g. VP for ?) Presidential area or a college).

Scope of ITRA If multiple departments and/or units are included in

or specifically excluded from this ITRA, list them
here.
Date:

Initial or revised risk assessment? If

this is a revision, please provide dates
of last IT risk assessment(s).
If this is a revision, have the
recommend risk solutions from
previous IT risk assessment been
implemented? If not, why?

Mission Statement:
Required – This should be the same as those
Essential Business Functions: defined in the organizational area/department
continuity documentation

Risk Assessment Team Members:

Senior Management that approved the Required
contents of this IT risk assessment.

CTSSR IT Risk Template – February 2015 2

 Step 1a: Organizational Critical Security Controls
The following critical security controls (CSC) are considered some of the most effective
measures for detecting, preventing, responding and mitigating the most common IT security risks.

From an organizational perspective, please rate the levels of awareness of the need for, and
adoption of the following critical security controls.

Awareness Levels:
 High: Most in the organization are aware of the need for this security measure
 Medium: Only IT personnel are aware of the need for this security measure
 Low: Few in the organization are aware of the need for this security measure.
Adoption Levels:
 High: Some form of implementation exists for this security measure
 Medium: Planning for future implementation is underway.
 Low: No plans to adopt this security measure.

Table A: Organizational Critical Security Controls (CSC) Assessment

Organizational Awareness
Adoption Level
Critical Security Controls Level

CTSSR IT Risk Template – February 2015 3

Actively manage (inventory, track, and correct) all
hardware devices on the network. CSC 1
Actively manage (inventory, track, and correct) all
departmental software assets. CSC 2
Actively manage (track, report on, correct) the security
configuration of departmental hardware assets. CSC 3
Continuously acquire, assess, and take action on new
information in order to identify vulnerabilities,
remediate, and minimize the window of opportunity for
attackers. CSC 4
Malware Defenses: Control the installation, spread, and
execution of malicious code. CSC 5
Manage the security lifecycle of all in-house developed
and acquired software in order to prevent, detect, and
correct security weaknesses. CSC 6
Proven tools and/or processes to ensure data recovery
capabilities. CSC 8
Security Skills Assessment and Appropriate Training to
Fill Gaps – CSC 9
Secure Configurations for Network Devices. CSC 10
Limitation and Control of Network Ports, Protocols, and
Services. CSC 11
Controlled use of administrative privileges. CSC 12
Boundary Defenses: Detect/prevent/correct the flow of
information transferring networks of different trust
levels. CSC 13
Maintenance, monitoring or analysis of system audit
logs. CSC 14
Controlled Access Based on the Need to Know. CSC 15
Application Account Monitoring and Control. CSC 16
Data Protection processes to ensure the privacy and
integrity of sensitive information. CSC 17
* A complete list of the 20 Critical Security Controls for Effective Cyber Defense, is available at:
http://www.sans.org/critical-security-controls/

CTSSR IT Risk Template – February 2015 4

 Step 1b: Mission Impact Analysis (A)
List all the technology assets that are owned or controlled by the department, that support the
organizations essential business function – add rows to the table below as needed. The assets
may include personnel, hardware, software, data, systems, services, and other related
technology.

In order to generate the most complete list of technology assets, it is helpful to use more than one
technique to gather information from personnel in the department or unit. Techniques for
gathering information could include group discussion, individual input, questionnaires,
interviews, etc.

Table B1: Complete list of technology assets important to departmental mission

Technology Primary Location of Comments on use
Asset Contact Asset
for Asset
Software
Asset A Person 1
Asset B Person 2
Data
Limited- Data As defined in university policy
access data Steward/Manager 7100;
http://www.policies.vt.edu/7100.pdf
University Data As defined in university policy
Internal data Steward/Manager 7100;
http://www.policies.vt.edu/7100.pdf
Public data Data As defined in university policy
Steward/Manager 7100;
http://www.policies.vt.edu/7100.pdf
Hardware

Asset A System Owner,

Admin
Asset B System Owner,
Admin
Personnel
Asset A Person 1
Asset B Person 2
Asset C Person 3
Services
Asset A e.g., Person 1:
departmental (e.g., Web
web site Admin)
Asset B Online catalogs,
Asset C Service X
Append any
other
category
Asset A Person 1
Asset B Person 2
Asset C Person 3

Table B2: Complete list of external dependencies

CTSSR IT Risk Template – February 2015 5

 External Service Name Vendor or Comments
Dependency* departmental contact
information
Dependency 1 Service Explain the need for this
(e.g. Third Party dependency:
Vendor
products)
Dependencies 2 Example: Hosted Why the dependency?
(e.g, central IT website name
services;
Hosting, Banner,
Scholar, etc.)
Dependencies on Example: Why the dependency?
non-IT VT Hokiemart,
services HokieServ
*External dependencies are those assets that are important to your business operations but not owned or
controlled by your organization or unit within an organization. This includes third party vendors, and
services provided by different departments or organizations.

CTSSR IT Risk Template – February 2015 6

 Step 2: Mission Impact Analysis (B)
Starting with technology asset inventory list generated in Step 1, classify the each asset as
“Mission Critical, Essential, or Normal.

Mission Critical – Mission critical assets are those technology assets that are highly
sensitive with respect to confidentiality, integrity, and/or availability, or which, if
compromised, could cause physical, financial, or reputational harm to the university, or
members of the university community (Policy 7105.) Lastly, an asset could be classified as
mission critical if it is subject to legislative, regulatory, and/or contractual compliance
requirements; or is involved in restricted research activities (as classified under the
International Traffic in Arms Regulations, ITAR).
Essential – The department could work around the loss of this information asset for several
days or perhaps a week, but eventually the technology asset would have to be restored to a
useable status.
Normal – The department as a whole can operate without this information asset for an
extended (though perhaps finite) period of time, during which particular units or individuals
may be inconvenienced and/or need to identify alternatives.

Further guidance for classifying critical assets can be found in Table 1 at:
http://www.it.vt.edu/ctssr/risk_assessment/itra_steps-1-2.php

Rearrange the technology assets listed in Step 1, such that departmental Mission Critical Assets
or External Dependencies are moved to the top of the table, Essential Assets appear second, and
Normal Assets appear at the bottom (using Table C, with each section expanded to have as many
rows as necessary):

Table C: Criticality classification of technology assets

Criticality Technology Primary Contact Location of Comments
Classification Asset for Asset Asset

Mission Critical Asset C Person 1

Mission Critical Asset A Person 1

Asset D
Essential Person 3

Essential Asset E Person 4

Normal Asset B Person 2

Normal Asset F Person 1

CTSSR IT Risk Template – February 2015 7

 Step 3: Identify and Define Associated Risks to Critical Assets
For each Mission Critical Asset, risks are reviewed and rated using table D below. Please cut and
paste the table below as many times as needed to provide one table for each Mission Critical
Asset identified in Step 2.

Detailed information about how to rate likelihood and impact of risks and an explanation of risk
responses (required in Table E below) is available at:
http://www.it.vt.edu/ctssr/risk_assessment/understanding_risk/

Table D: Rating of probability / impact of potential risks for each mission critical asset
Rate the Likelihood Rate the Impact
Mission Critical Asset: of Risk of Risk
__________________________
POTENTIAL RISK High Medium Low High Medium Low
Lax or Dated System Administration
Practices
Inadequate Desktop Access Control
Management
Lax Operational Policies
Key Person Dependency
Lack of Strong Passwords
Inadequate Safeguards on Sensitive
Data
Inadequate Access Control
Inadvertent Data Exposure/Loss
Inappropriate Use of Clear Text
Lack of Adequate Physical Security
Natural Disaster
Loss of Network Connectivity; Man-
made Disaster, Construction,
Contamination
Hardware Failure/Service Loss
Malware
Social Engineering, Phishing
Insecure Vendor or Custom-Developed
Software
Lack of Service Level Agreement
External Vendors
IP Spoofing or Forgery
Lack of Funds
Outdated Continuity of Operations Plan
(COOP)
* See ‘Understanding Likelihood and Impact Ratings & Risk Responses’ -
http://www.it.vt.edu/ctssr/risk_assessment/it_risk.php for expanded definitions.

CTSSR IT Risk Template – February 2015 8

 Once the risks pertaining to each critical asset have been identified and rated, the specific impact
of any risk that rated a HIGH impact should be briefly illustrated. How much detail to include in
each definition will be left to the discretion of assessment team members, and may depend on
how much is known about the specific risk.

Step 4: Recommendations to Mitigate Risks to Critical Assets

For each risk pertaining to an asset listed in Step 3 that carries a high impact rating, the ITRA
team members should develop one or more possible solutions to respond to the risk.

Table E: Mitigation strategies for each risk associated with a mission critical asset.
Mission Potential Risk Justificatio Current or planned controls or
Critical High Response* n for Risk actions to address risk
Asset Impact (Options: Response
Risks Accept, Avoid, Required
Mitigate,
Share,
Transfer)
Example:
Asset C Risk 1 accept Compensati Control X is implemented – no
ng controls action required.
in place.
Risk 2 Example:
accept No funding No action required
to
implement
compensati
ng controls
Example: Plans Plans underway to implement
Risk 3 mitigate underway control X Enforce control X
to
implement
control X
Example:
share Shared We monitor access control lists,
responsibilit manage data integrity etc.
y with
hosting.
Example:
transfer Compliance Transferred responsibility of
requirement protecting data to third party
university contracted provider.
Example:
Risk 3 Avoid Unnecessar Eliminate the process that poses
y process, high risk.
Risk 1
Asset A Solution 1

Risk 2 Solution 1

Solution 2
*Risk Response is the stated decision of accepting, avoiding, mitigating, sharing, or transferring an
identified risk to organizational operations. See ‘Understanding Likelihood and Impact Ratings & Risk
Responses’ for expanded definitions.

CTSSR IT Risk Template – February 2015 9

The final section of the IT risk assessment process should be considered an executive summary of
risks to organizational critical information assets and the actions proposed to respond to those
risks. The first step of the executive summary will require a review of previously identified risks
to critical IT assets and the status of the proposed solutions which were documented in the last
ITRA conducted. The final step is to document the proposed solutions for the risks noted in Step
4 for which the risk response is either mitigate, share, or transfer.

Step 5 - Executive Summary

Proposed risk solution(s), past and present

Note: If this is an initial IT risk assessment, skip to step 5b.

5a. Status of proposed risk solution from previous IT risk assessment

Date of last risk assessment:

Note: Please copy and paste the headings below as many times as needed to provide status details
for each previously noted risk

Critical Asset(s):

Risk(s) identified:

Proposed Solution(s):

Status of proposed solution(s):

5b. Recommendations for addressing risks to critical technology assets

Please copy and paste the headings below to provide a section for each proposed solution noted in
Step 4 for which the risk response is either mitigate, share, or transfer.

Asset C,
Risk 1,
Proposed Solution 1:
Cost – if known:
Expected Benefits:
Person(s) responsible for monitoring and/or executing the solution:
Proposed Timetable for implementing solution:

Asset C,
Risk 1,
Solution 2:
Cost – if known:
Expected Benefits:
Person(s) responsible for monitoring and/or executing the solution:
Proposed Timetable for implementing solution:

CTSSR IT Risk Template – February 2015 1

0
CTSSR IT Risk Template – February 2015 1
1
Your completed report should be sent in as an attachment to [email protected].

Table F: Five-year record of revisions (for your own reference)

Year Filename Contact (name, email)

CTSSR IT Risk Template – February 2015 1

2