Risk Assessment Tools
These are approved tools and documents for conducting risk assessments at Iowa State University. For further information or explanation contact the Director, IT Security and Policies in IT Services. This office is available to assist departments in understanding the risk assessment process and getting started on completing their forms.
Schedule of Risk Assessments
This schedule outlines the timing and responsibility of required periodic risk assessments under the direction of the IT Security and Policies area.
Business Impact Analysis and Risk Assessment
This document contains general information and a description of the risk assessment process. A list of common risks is included to help evaluate the risks in a particular environment. A sample template for the report is also available.
IT Security Risks and University Impact
This table includes examples for each of the four IT security objectives (confidentiality, data integrity, availability, authorized use) at each of the three levels of risk (low, moderate, high).
|Confidentiality||Disclosure of course offerings before the Registrar publishes the information on the web.||Disclosure of e-mails detailing a negotiation strategy during a land purchase.||Disclosure of student medical records.|
|Data Integrity||Malicious modification of a student's personal webpage.||Malicious modification of classroom schedules, leading to overbooking or confusion for a period of time.||Malicious modification of an administrative report, leading to embarrassment for the university.|
|Availability||Attack on servers holding personal web pages or attack on networked environmental controllers.||Attack on the course registration servers during the student registration weeks.||Attack on the network routers, which would render most networks inoperable.|
|Authorized Use||An Iowa State University student shares his/her password with a high-school friend, thereby granting unauthorized access to computing services for his friend.||Gaining access to a computer with publicly available hacking tools, then using the computer to capture passwords on the network.||Gaining access to a computer with publicly available hacking tools, then using the computer as a platform to launch a debilitating attack on the campus networks.|
This spreadsheet will help prioritize which risks should be addressed first.
Payment Card Industry Self-Assessment
Information on the Payment Card Industry Data Security Standard (PCIDSS) can be found on the PCI Security Standard Council website. Every entity that processes, stores, or transmits credit card information will use this form for completing the self-assessment. The form is sent to the PCI compliance officer in the Treasurer's Office and a copy to the Director, IT Security and Policies in IT Services.