Risk Assessment Tools

These are approved tools and documents for conducting risk assessments at Iowa State University. For further information or explanation contact the Director, IT Security and Policies in IT Services. This office is available to assist departments in understanding the risk assessment process and getting started on completing their forms.

Schedule of Risk Assessments

This schedule outlines the timing and responsibility of required periodic risk assessments under the direction of the IT Security and Policies area.

Schedule of Risk Assessments for Information Security

Business Impact Analysis and Risk Assessment

This document contains general information and a description of the risk assessment process. A list of common risks is included to help evaluate the risks in a particular environment. A sample template for the report is also available.

Business Impact Analysis and Risk Assessment for Information Technology

Sample Template

IT Security Risks and University Impact

This table includes examples for each of the four IT security objectives (confidentiality, data integrity, availability, authorized use) at each of the three levels of risk (low, moderate, high).

IT Security Risks and University Impact
ConfidentialityDisclosure of course offerings before the Registrar publishes the information on the web.Disclosure of e-mails detailing a negotiation strategy during a land purchase.Disclosure of student medical records.
Data IntegrityMalicious modification of a student's personal webpage.Malicious modification of classroom schedules, leading to overbooking or confusion for a period of time.Malicious modification of an administrative report, leading to embarrassment for the university.
AvailabilityAttack on servers holding personal web pages or attack on networked environmental controllers.Attack on the course registration servers during the student registration weeks.Attack on the network routers, which would render most networks inoperable.
Authorized UseAn Iowa State University student shares his/her password with a high-school friend, thereby granting unauthorized access to computing services for his friend.Gaining access to a computer with publicly available hacking tools, then using the computer to capture passwords on the network.Gaining access to a computer with publicly available hacking tools, then using the computer as a platform to launch a debilitating attack on the campus networks.

Risk Prioritization

This spreadsheet will help prioritize which risks should be addressed first.

Risk Prioritization

Payment Card Industry Self-Assessment

Information on the Payment Card Industry Data Security Standard (PCIDSS) can be found on the PCI Security Standard Council website. Every entity that processes, stores, or transmits credit card information will use this form for completing the self-assessment. The form is sent to the PCI compliance officer in the Treasurer's Office and a copy to the Director, IT Security and Policies, IT Services.