RISK ASSESSMENT OVERVIEW DEFINITIONS

A. Overview:

Risk is defined as the "possibility of an event occurring that will have an impact on the achievement of objectives." Organization
exposed to a wide variety of risks every day. The impact of these risks could affect an organization's finances, operations, lega
or reputation. To effectively manage these risks, management should have a process to identify, assess, prioritize, and manage
This file contains five tabs to help you identify and assess risks for your organization or project. The following summarize the fiv
• Template Overview & Definitions. This tab defines terms used in the Risk Assessment Template and steps for completing you
assessment. The definitions and steps are in sections B and C of this tab.
• Blank Risk Assessment Template. This tab contains the columns headings you can use to create your risk assessment. It is d
to be flexible enough to develop a risk assessment for a unit, department, process, or project. You can identify your own catego
and descriptions. You may also choose to cut, paste or modify risks included in the three sample tabs.
• Business Risk Assessment Sample. This sample risk assessment identifies common "business" risks associated with a unive
• IT Risk Assessment Sample. This is a sample risk assessment for an information technology issue -- wireless data networks.
uses a different set of categories than the Business Risk Assessment Sample. Please note that rows eight through 15 identify
associated with the complete lifecycle of an information technology project.
• Security Risk Assessment Sample. This is a sample risk assessment for an organization's information security program and p

B. Definition of Terms:

TEMPLATE TERM

Category of Risk
Issue/Risk

Risk Description (Explanation of Threat)

Potential Impact [1 (Low) to 5 (High)]

Likelihood [1 (Low) to 5 (High)]

Risk Ranking

Primary Point of Contact to Mitigate This Risk

Current Strategies for Mitigating the Risk

Description of Monitoring in Place

Comment

C. Steps for Completing the Risk Assessment:

1. Use a brainstorming process to identify the issues, uncertainties, and risks you are concerned about. You do not need to wo
the likelihood of it occurring at this stage. When you are done, place these "issues/risks" in the column of the Risk Assessment
Issue/Risk. If you want, you can group these into common categories. If you do group them, you can place the category label
column called "Category."

Page 1 of 62
 RISK ASSESSMENT OVERVIEW DEFINITIONS
2. Next, review each risk and issue you identified and describe it in one to three sentences. As you describe the issue/risk, con
threats, vulnerabilities, and impact if the risk is not managed. Place this information in the column called "Risk Description."

3. Now consider the impact if the risk is not managed. Consider the scope of the impact (e.g., university, department, section)
business, operational, and reputational impact. Rank the level of impact from 1 (Low) to 5 (High).

4. Now consider the likelihood of bad consequences occurring with the current policies, procedures, practices, and technology
in place to manage the risks. Rank the likelihood of impact from 1 (Low) to 5 (High).

5. As you complete steps 3 and 4, the risk assessment will automatically calculate the "Risk Ranking" of the issue/risk by multip
impact of the risk by its likelihood of occurrence. The higher the number, the greater the risk to your organization.

6. Now identify who or what organization is managing the risk now. Place the name in the column called "Primary Point of Con
Mitigate This Risk."

7. Now identify how the risk is being managed now. Consider policies, procedures, technologies, and manual practices. Place
controls in the column called "Current Strategies for Mitigating the Risk."

8. Next, identify who and how the organization is monitoring the controls to ensure the risk is being managed. Place this inform
the column called "Description of Monitoring in Place."

9. Finally, review the list for accuracy. Note the risks which scored the highest. Use this as a guide to determine which risks to
You should consider taking action to manage the risks that have the highest Risk Ranking. Because the priority of risks does n
constant, you should regularly update this assessment.

Page 2 of 62
 RISK ASSESSMENT OVERVIEW DEFINITIONS

event occurring that will have an impact on the achievement of objectives." Organizations are
y day. The impact of these risks could affect an organization's finances, operations, legal standing,
hese risks, management should have a process to identify, assess, prioritize, and manage them.
identify and assess risks for your organization or project. The following summarize the five tabs:
is tab defines terms used in the Risk Assessment Template and steps for completing your risk
s are in sections B and C of this tab.
his tab contains the columns headings you can use to create your risk assessment. It is designed
assessment for a unit, department, process, or project. You can identify your own categories, risks,
se to cut, paste or modify risks included in the three sample tabs.
This sample risk assessment identifies common "business" risks associated with a university.
a sample risk assessment for an information technology issue -- wireless data networks. Thus, it
the Business Risk Assessment Sample. Please note that rows eight through 15 identify risks
of an information technology project.
This is a sample risk assessment for an organization's information security program and practices.

DEFINITION
This is an optional column. You can use this to categorize risks you identified in the
Issue/Risk column.
In this column, briefly identify the risk or issue with which you are concerned.

This column describes the risk associated with the Issue/Risk identified in the previous
column. You can also use this column to identify more information on other risks you
identified. Consider what can go wrong if this risk is not managed.

Use this column to identify the impact to your organization if the issue/risk were to
occur. You should rank the risk from Low (1) to High (5).
Use this column to determine the likelihood of the issue/risk actually occurring. You
should rank the risk from Low (1) to High (5).
This column automatically generates the risk score by multiplying the Potential Impact
by the Likelihood. The higher the number, the greater the risk to the organization.

Use this column to identify the organization or person who is responsible for
managing/mitigating the risk. This can be internal or external to your organization.

Use this column to identify how this risk is being managed/mitigated. Possible
strategies may consist of existing policies and procedures; manual reviews; and
technology to manage the risk.
Use this column to identify what you are doing to monitor the risk, or monitoring the
person or organization responsible for mitigating the risk.
This is an optional column, which you can use to include special notes or comments.

ssessment:

ntify the issues, uncertainties, and risks you are concerned about. You do not need to worry about
ge. When you are done, place these "issues/risks" in the column of the Risk Assessment called
p these into common categories. If you do group them, you can place the category label in the

Page 3 of 62
 RISK ASSESSMENT OVERVIEW DEFINITIONS
ou identified and describe it in one to three sentences. As you describe the issue/risk, consider
e risk is not managed. Place this information in the column called "Risk Description."

is not managed. Consider the scope of the impact (e.g., university, department, section) and the
l impact. Rank the level of impact from 1 (Low) to 5 (High).

consequences occurring with the current policies, procedures, practices, and technology you have
e likelihood of impact from 1 (Low) to 5 (High).

risk assessment will automatically calculate the "Risk Ranking" of the issue/risk by multiplying the
ccurrence. The higher the number, the greater the risk to your organization.

ion is managing the risk now. Place the name in the column called "Primary Point of Contact to

managed now. Consider policies, procedures, technologies, and manual practices. Place the
Strategies for Mitigating the Risk."

anization is monitoring the controls to ensure the risk is being managed. Place this information in
toring in Place."

Note the risks which scored the highest. Use this as a guide to determine which risks to manage.
manage the risks that have the highest Risk Ranking. Because the priority of risks does not remain
this assessment.

Page 4 of 62
 C
at
eg
or
y
Is
su
e/
R
R is
k
(E isk
xp D
la e s
na cr
tio ip
n tio
of n
Th
re
at
(L te
Po )
ow n
) t tial
o Im
5 p
Li (H a
(H ke ig ct
ig lih h) [1
h) o
o ]
] d
[1
(L
ow
R
is )t
k o
R 5
an
Pr ki

Page 5 of 62
C im ng
Th on ar
is tac y P
R tt o
is o in
k M to
iti f
ga
te
C
M u rr
Risk Assessment Discussion Tool

iti e
ga nt
tin St
g rat
th eg
e ie
R s
is f
k or

D
M es
on cr
ito ipt
rin ion
g o
in f
Pl
ac
e
C
om
Risk Assessment Discussion Tool

Page 6 of 62
Risk Assessment Discussion Tool

Page 7 of 62
 Risk Assessment Discussion Tool
t
en
m
om
C

Page 8 of 62
Risk Assessment Discussion Tool

Page 9 of 62
Risk Assessment Discussion Tool

Page 10 of 62
 RISK ASSESSMENT DISCUSSION TOOL

t
or

ow

k ac
5
o

is t
s on

(L

R on
)t
at
k

es cti

re

ow
1

is f C
is

ng
of n

t[
Th
R

oc n

n ti o

(L

Th t o
ac
Pr F u

ki
of

t io ip

an
1
h) p

te i n
s -

d[
y

ig l Im
na cr

ga Po
R
es sk
or

o
la es

ga t
k
h) o
eg

]
in /Ri

iti en
(H i a

i ti y
is
ig lih
xp D

M ar
5 nt
at

M urr
us e

(E isk

]
(H e

to im
B su

to ote
C

C
Li
R

Pr
Is

P
Executive Issue/Risk Executive Management controls
Management are the responsibility of Senior
Controls University Administration. They
include the following over-
arching activities:

1 Strategic Strategic planning helps to ensure

that the University is being driven
and powered in an optimal and
consistent manner towards the
achievement of indentified goals.
Control weaknesses occur when:

a. The strategic plan is not

sufficient or updated to meet new
challenges and opportunities.

b. The strategic plan is not

adequately and effectively
communicated.

c. There is a lack of a risk

management process to identify
risks impacting the successful
achievement of the University's
mission

2 Ethical The upholding of ethical standards

throughout the University helps to
ensure that decisions are made
with a shared University standard
of values and ethics. Control
failures result when:

a. There is no code of ethics or

lack of policies relating to
unacceptable behavior and
decision making.
b. There are improper/illegal use
of management overrides.

Page 11 of 62
 RISK ASSESSMENT DISCUSSION TOOL
c. Decision making is prejudiced
or based on biased information.

d. There is a failure to take

responsibility and proper action
when significant deficiencies are
known or significant incidents
occur (inadequate crisis
management).

3 Community Effective community relations and

Relations & Social a sense of social embededness
Embededness helps to ensure that the University
continues to maintain a reputation
as a leader in higher education
and is responsive to the needs of
the state and surrounding areas.
Reputational risks include:

a. Poor relations with parents,

students, and prospective
students.

b. Failure to offer a quality

academic program that meets the
needs of the community (in
Nebraska and surrounding states).

c. Ineffective marketing/public
relations.
d. Special interests drive the
University's priorities.

e. The inability or unwillingness to

address the community's needs
and expectations.

4 Organizational An effective organizational

Structure & structure facilitates the
Communications achievement of the University's
mission. It helps to ensure that
information is shared
appropriately. Risks occur when:

a. The organizational structure is

not reviewed periodically for
efficiency and alignment with
identified strategic goals.

Page 12 of 62
 RISK ASSESSMENT DISCUSSION TOOL
b. The organizational goals and
objectives are not developed,
communicated, and monitored for
achievement.

c. There is a general lack of

effective organization-wide
communications.
d. Institutional policies and
procedures are not current and/or
easily accessible and understood
by faculty and staff.
e. There is a failure to
communicate organizational
changes and policies to the UNL
community efficiently and
effectively.

5 Academic Academic excellence is achieved

Standards with quality faculty and dedicated
students and staff. Conditions
which may thwart these
expectations include:

a. Failure to achieve accreditation

and quality academic programs.

b. Lack of effective oversight of

faculty recruitment, retention,
development, and turnover. Also,
inadequate planning for faculty
replacement due to faculty
retirements.

c. Inadequate faculty size or over-

reliance on part-time faculty.

d. Insufficient recognition or
incentives for instructional quality.

e. Ineffective academic
administrator selection and
training.
f. Failure to establish and maintain
entrance quality standards that are
consistently and equitably applied.

6 Funding Adequate funding is essential to

fulfill the University's mission of
academic excellence. Funding
risks include:

Page 13 of 62
 RISK ASSESSMENT DISCUSSION TOOL
a. Insufficient revenues to sustain
teaching, research, student
housing, research facilities, and
the University infrastructure.

b. An allocation of resources
among academic programs that
does not reflect UNL’s priorities
(mission, objectives).

c. An over-commitment of
resources by the University or
unexplained deviations from the
budget.
d. A violation of the public's trust
and confidence by improperly
using, or mismanaging state
funds.

Management Issue/Risk Management controls are the

Controls responsibility of College Deans,
Departmental Heads or other
designated staff with functional
responsibilities. They include
the following:

1 Strategic Strategic planning helps to ensure

that the University is being driven
and powered in an optimal and
consistent manner towards the
achievement of indentified goals.
Control weaknesses occur when:

a. There is a lack of, or obsolete

strategic plan for the
College/Department.

b. The College's or Department's

strategic plan is misaligned with
the University's strategic plan and
objectives.

c. The College's or Department's

strategic plan is not communicated
to faculty and staff.

2 Objective Setting Goals and objectives help to

ensure attainment of the strategic
plan. Control weaknesses occur
when:

Page 14 of 62
 RISK ASSESSMENT DISCUSSION TOOL
a. The College's/Department's
goals and objectives are missing
or obsolete.
b. Objectives and goals are
misaligned with the
College's/Department's strategic
plan.

c. The College's/Department's
goals and objectives are not
measurable.
d. Staff is unaware of the
College's/Department's objectives
and/or status of attaining goals is
unknown or unmonitored.

3 Governance Effective governance assures the

effective use of resources for the
achievement of identified goals. A
lack of governance may result
when:

a. The College's/Department's
policies are obsolete, incomplete,
inaccessible and/or misunderstood
by staff and faculty.

b. There is a failure to timely

monitor, and assess essential
functions of the
college/department.

System-wide Major Functions System-wide controls are the

Controls responsibility of all employees
at the University; however,
central offices have established
primary systems to facilitate
administering these functions.

1 Auxiliaries Auxiliaries such as UNL's

Bookstore, Parking, Housing, etc.
face the risk of insufficient revenue
to cover costs in addition to many
of the risks listed below.

2 Bursar's Office The risks for handling cash and

revenue recording may include:

Page 15 of 62
 RISK ASSESSMENT DISCUSSION TOOL
a. Inadequate cash handling
procedures to identify and prevent
cash misappropriations or lost
cash receipts.

b. Unrestricted access to cash.

c. Untimely deposits of cash.

d. Inadequate petty cash policies.

e. Unrecorded receivables or
untimely posted receivables.

f. Uncollected revenue due to

inadequate collection process.

g. Improper valuation of
allowance for doubtful accounts
and/or inappropriate account
write-offs.

h. Untimely bank account

reconciliations.

3 Facilities Planning Facilities Management and

Planning (FMP) provides
leadership for building and outdoor
grounds maintenance. FMP also
oversees campus construction
projects. Challenges include:

a. Facilities do not meet safety

and access regulations (i.e. not
ADA compliant), lack a fire
suppression system, or have
deteriorated to being an unsafe
facility.

b. Out-of-date facilities no longer

meet the needs of faculty,
researchers, students, and
administration.

c. Insufficient space to meet the

demands of faculty, researchers,
and students.

d. Lack of timely scheduled

maintenance on facilities.

Page 16 of 62
 RISK ASSESSMENT DISCUSSION TOOL
e. Unapproved work
authorizations or work authorized
only after work commenced.

f. Ambiguous construction
contract templates that fail to
represent the best interests of the
University.

g. Lack of a prompt review of

construction project costs to
ensure contract compliance.

h. Bidding process is not open to

all qualified contractors.

i. Insufficient funding to perform

deferred maintenance on facilities
resulting in excessive and growing
deferred maintenance costs.

4 Financial Services Effective financial systems will

help deter:

a. improper classification or
recording of transactions in
accordance with University and
regulatory standards.

b. Failures to comply with state

and federal reporting
requirements.
c. Duplicate payments.

d. Untimely or misleading financial

reports required for management
decision making.

e. Unauthorized, untimely, or
inaccurate departmental charge
backs (inter-departmental
charges).
f. Inappropriate year-end cut-off
procedures and closing entries.

g. Errors in the accounting system

are not detected timely.

h. An overly complex accounting

system resulting in user difficulties
and/or unclear management
reports.

Page 17 of 62
 RISK ASSESSMENT DISCUSSION TOOL
5 Health & Safety Health and safety procedures and
training are administered by
Environmental Health and Safety.
These procedures are designed to
mitigate against the following
risks.

a. Unsafe lab procedures.

Training on safe lab procedures is
unavailable or not communicated.

b. Unawareness by facility and

office staff of safety hazards.

c. Failure to properly identify and

secure hazardous materials.

d. Lack of appropriate disposal

system for biological and
radioactive waste.

e. Failure to meet OSHA,

Homeland Security, and other
regulatory statutes.
6 Human Resources Hiring, employee compensation,
personal actions and other human
resource actions may include the
following risks:

a. Insufficient guidance provided

to hiring managers in regards to
posting job vacancies and making
optimal hiring decisions that are in
compliance with federal, state and
University requirements.

b. Uncompetitive salaries and

benefits for the relevant job market
and surrounding area.

c. Unavailable or obsolete job

descriptions in which to evaluate
job responsibilities and salary
competitiveness.

d. Non-existent or inadequate
performance measures and
reviews.
e. No procedures to address
unsatisfactory performance
expectations.

7 Payroll Payroll risks include:

Page 18 of 62
 RISK ASSESSMENT DISCUSSION TOOL
a. Unauthorized or "ghost"
employees are issued salary
payments.
b. Employee payroll deductions
are not made as authorized by the
employee.
c. Insufficient payroll funds are
retained for social security tax,
retirement withholding, income tax
withholding, and medical benefits.

d. Lack of a system to budget and

monitor payroll expenditures.

e. Failure of the payroll system to

capture all necessary reporting
information for types of pay,
including additional pay, overtime
pay, administrative, supplemental,
vacation, family leave etc.

8 Procurement Risks associated with

procurement services may
include:
a. University employees are
unaware of the procedures
required to purchase goods and
services at the University.

b. Purchases are made from

unauthorized or "ghost" vendors.

c. Costs to administer the

purchasing function are excessive.

d. Failure to properly record

purchase transactions in the
Financial System.
e. Failure to maximize purchasing
power through preferred vendor
contracts.

f. Consistent poor quality of goods

and services obtained from certain
vendors.

g. Outdated, inadequate, or
ambiguous contract templates.

Page 19 of 62
 RISK ASSESSMENT DISCUSSION TOOL
h. Lack of a process to ensure
that only authorized personnel
procure goods and services.

9 Property Control In managing property control the

risks may include:

a. Unrecorded or undervalued
capital assets.

b. Untimely detection and

reporting of missing capital assets.

c. Surplus Property is not

recycled, sold, or disposed of
properly.
d. Inadequate accountability for
safeguarding of capital assets.

e. Significant discrepancies
between inventory records and
departmental accounting records.

10 Security Security risks may include:

a. Emergency safety and health

procedures are not communicated
effectively.

b. Failure to identify and promptly

respond to criminal and
threatening behavior.

c. Failure to promptly notify

Student Affairs of safety incidents
and preventative measures.

d. Inadequate security over

inventories, artifacts, etc.

e. Failure to deter unauthorized

access to facilities and student
housing.
f. Inability to retain staffing and
provide adequate security at all
times.

g. Lack of an emergency response

plan for major disruptions.

Page 20 of 62
 RISK ASSESSMENT DISCUSSION TOOL
11 Risk Management UNL's Risk Management should
be contacted in the event of
property damage or theft losses.
Risks may include:

a. Failure to communicate the

process required to file an
insurance claim when necessary.

b. Failure to inform Risk

Management of losses in a timely
manner.
c. Failure to identify those areas
in which additional insurance may
be required, e.g. employee travel
to sanctioned countries. (Also,
inability to identify those instances
whereby an external provider of
services may be required to
provide evidence of additional
insurance to mitigate against
risks.)

12 Sponsored Sponsored funding administration

Research that fosters and supports
academic research may include
the following risks:

a. Lack of institutional policies and

accounting systems to help ensure
compliance with the terms of the
grant and federal grant
regulations, including animal and
human research and time/effort
reporting.

b. Lack of training to assist with

grant-writing proposals and future
funding.
c. Inadequate or overly complex
grant accounting.

d. Lack of monitoring charges and

cost transfers to grants.

e. Insufficient records to provide

evidence of effort reporting as
required in OMB A-21.

Page 21 of 62
 RISK ASSESSMENT DISCUSSION TOOL
13 Student Affairs Student Affairs is responsible for
creating a supportive environment
for student learning. Risks
include:
a. Inadequate student housing
and/or meals are not made
available to students at a
reasonable cost.

b. Inappropriate exposure of
confidential student records.

c. Failure to address the needs of

a diverse student population.

d. Ineffective governance of
student organizations.

e. Failure to provide a supportive

social environment.

f. Ineffective student grievance

process.

g. Insufficient student fees to

cover related costs.

h. Insufficient student advisory

services for degree requirements.

14 Travel Expenditures incurred for travel

may include the following
challenges:
a. Lack of adequate policies and
procedures. The policies should
help ensure travel is
preauthorized, serves a business
purpose, and costs are kept to a
minimum.

b. Departments are unaware of

the cost-savings options available
to UNL employees for safe travel.

c. Travel costs are not reviewed

for compliance with University and
statutory requirements.

Page 22 of 62
 RISK ASSESSMENT DISCUSSION TOOL
Departmental/ Process Effective key business
Unit Controls processes help to assure
(May include college and departmental
processes in objectives are met. Listed
the System- below are some key business
wide Controls processes with some of the
section above) associated risks.

1 Accounting a. Ineffective reporting system to

track and communicate account
charges.

b. Departmental charges are not

independently reviewed and
approved by a department official.

c. Account posting errors are

undetected or untimely corrected.

2 Grant a. The process to administer

Administration grants is insufficient to prevent
unallowable or inadequately
documented charges to the
College's grants.

3 Payroll a. Pay rates and job status for

employees has not been properly
approved by the employee's hiring
manager (including overtime,
additional time, etc.).

b. Hours worked are not in

compliance with University or
regulatory requirements.

c. Payroll hours charged to a grant

are unallowable or excessive.

d. Labor hours are entered into the

system incorrectly.

e. Leave absences for sick,

vacation, etc. are not timely
approved by an authorized
individual.
4 Procurement a. Goods and services are
acquired without proper
authorization and/or do not serve
a business objective.

b. Expenditures for goods and

services are excessive.

Page 23 of 62
 RISK ASSESSMENT DISCUSSION TOOL
c. The quality of the goods and
services is inferior and inadequate
to meet the business needs of the
College/Department.

d. Access to items purchased is

unrestricted.

e. Goods and services are

purchased in a manner that is
incompliant with University and
regulatory requirements.
f. Expenses for procurement are
not accurately reported in the
financial system (SAP).

5 Revenue a. The fee or revenue structure

has been implemented without
appropriate approvals, is unclear,
or inadequately communicated.

b. The fee or revenue structure is

out- of-date and is no longer
reasonable.

c. The fee or revenue structure is

applied inconsistently.

d. There is no assurance that all

revenue and cash receipts is
accurately and completely
accounted for within the
College/Department.

e. Uncollected revenue is not

pursued.
f. Cash is not properly
safeguarded against theft or
misappropriation.
6 Surplus Property a. Unused property is not properly
transferred to Inventory for
disposal.
b. Asset turnover is greater than
expected.

7 Travel a. Travel is not pre-approved

timely with estimated travel costs.

Page 24 of 62
RISK ASSESSMENT DISCUSSION TOOL
b. There is no review of the travel
claim for reasonableness and
business purpose.

c. The travel claim is processed in

a manner that is incompliant with
UNL and regulatory requirements.

d. Travel is inaccurately recorded

in SAP.

Page 25 of 62
 C
M urr
iti e
ga nt
ti n S t
g rat
th eg
D e ie
M s e R s
on cr is f
k or
ito ipt
rin ion
g o
in f
C Pl
ac
om
m e
en
t

Page 26 of 62
RISK ASSESSMENT DISCUSSION TOOL
RISK ASSESSMENT DISCUSSION TOOL

Page 27 of 62
RISK ASSESSMENT DISCUSSION TOOL

Page 28 of 62
RISK ASSESSMENT DISCUSSION TOOL

Page 29 of 62
RISK ASSESSMENT DISCUSSION TOOL

Page 30 of 62
RISK ASSESSMENT DISCUSSION TOOL

Page 31 of 62
RISK ASSESSMENT DISCUSSION TOOL

Page 32 of 62
RISK ASSESSMENT DISCUSSION TOOL

Page 33 of 62
RISK ASSESSMENT DISCUSSION TOOL

Page 34 of 62
RISK ASSESSMENT DISCUSSION TOOL

Page 35 of 62
RISK ASSESSMENT DISCUSSION TOOL

Page 36 of 62
RISK ASSESSMENT DISCUSSION TOOL

Page 37 of 62
RISK ASSESSMENT DISCUSSION TOOL

Page 38 of 62
RISK ASSESSMENT DISCUSSION TOOL

Page 39 of 62
RISK ASSESSMENT DISCUSSION TOOL

Page 40 of 62
 WIRELESS DATA NETWORK RISK ASSESSMENT AS OF April 9 ,2010

of

5
S
n

o
t io

CE

)t
na

ow
TI
la

AC

(L
xp

PR

[1
sk

(E
ry

Ri

ct
go

ST
n

o
pa
e/

io
te

(L
BE
su

Im
pt
Ca

[1
ri
Is

h) a l
at sc

d
RO

ig ti

oo
re De

(H o t e n
NT

li h
]
)
T h i sk

ke
CO

P
R

Strategy
1 Lack of Ineffective goverence, which inhibits the
Governance effective use of resources for the achievement
Strategy of identified strategic goals. (Has University
management identified the purpose and
acceptable use of the wireless network; who is
allowed to use the network; who is responsible
for setting standards; who is responsible for
managing the network; and who can grant
exemptions?)
Li
Management defines the overall purpose of
the network; identifies who is authorized to
use the network and for what purpose;
identifies what information can be
transmitted over the network; and identifies
who will set standards, establish service
levels, and procure and maintain network
components.

2 Lack of Regulatory, Noncompliance with regulatory and statutory Periodically review regulations and
Contractual, & requirements. (Has the University identified the contracts to understand data management
Legal Requirements applicable regulations that govern use of radio and disclosure requirements. Identify
waves and applicable protocols for the wireless protocols and security standards that will
network? Has the University identified meet regulatory, contractual, and legal
applicable laws that govern privacy and use of requirements
networks? Does the University have specific
contract requirements on how partner data will
be handled or managed in the event of data
compromise?)

3 Lack of Policies, Noncompliance with policies and procedures.
Standards, & (Does the University have documented policies
Procedures and procedures that identifies who and what
devices can access its wireless network and
the "acceptable use" of its network? Does the
University have polices on processes that
govern management of wireless network (e.g.,
operations, key management, authentication,
incident response)?)
Develop documented policies on use of
network. Develop policies on how network
and keys will be managed. Identify
standards that will govern how connections
will be made to the network (e.g., IEEE
802.11ix/Extensible Authentication
Protocol), encryption standards (e.g., AES
encryption), and authentication methods
(e.g., user ID & password, biometrics, smart
cards).

Page 41 of 62
 WIRELESS DATA NETWORK RISK ASSESSMENT
4 Lack of Current policies, procedures and management
Management expectations are not communicated to faculty
Communication and staff. (Has Management communicated its
policy on acceptable use of wireless network?)
Life Cycle
Management
5 Poorly Implemented Undefined project parameters and goals. (Has
Initiation Phase the University performed an initial assessment
of the wireless network requirements before it
designs, implements, or upgrades it? Has the
University identified high-level requirements
and stakeholders? Has management
approved the project and budget?)
6 Inadequate Lack of resources necessary for completion of
Wireless Network the project. (Has the University identified:
Planning & Design project scope and expected deliverables;
correct team members and budget; schedule of
activities that need to be considered to meet
requirements; functional requirements;
technical, and security characteristics of the
wireless network components; various clients
who will use the wireless network; and
resources needed to procure, operate, and
maintain the wireless network and
components?)
Page 42 of 62
AS OF April 9 ,2010
Regular communication on acceptable use
of wireless network. Conduct initial and
recurring training for regular users of
network (e.g., University-employees,
students). Conduct training on acceptable
use for short-time users of network (e.g.,
guests, contractors).
Use formal project management
methodology. Perform risk assessment to
identify and evaluate wireless network
threats and their impact. Document
wireless acceptable use policy that specifies
who is authorized to use the network and
for what purpose. Identify high-level
operational, technical, and security
requirements. Mandate all connections use
industry-approved standards (e.g., IEEE
802.11) to facilitate subsequent life cycle
management phases.
Use formal project management
methodology to plan and design. Identify
detailed functional, operational, technical,
and security requirements. Conduct site
survey to determine proper location of
access points. Identify standards for
authentication that will meet regulatory,
contractual, and legal requirements. Plan
for dedicated Virtual LAN (VLAN) to
facilitate access point connections to wired
network. Plan for dedicated management
VLAN to facilitate wireless network
administrative tasks. Plan to install network
firewall between wireless network and wired
network, if unauthenticated users are using
the wireless network. Use third party
security professionals to implement, if in-
house resources do not have required skills.
 WIRELESS DATA NETWORK RISK ASSESSMENT
7 Inappropriate Inappropriate or unapproved purchases. (Has
Wireless Network the University: identified the components of the
Procurement wireless network; considered security and
maintenance requirements of the components;
considered upgrade path of network and
components; procured components that will
meet functional, technical, and security
requirements?)
8 Incomplete or Incomplete or incorrect project implementation.
Incorrect Wireless (Have wireless network equipment been
Network configured to meet operational and security
Implementation requirements? Have network equipment been
tested prior to being placed into production?
Have associated systems been modified so
they can work with wireless network devices?
Have users been informed of changes?)
Page 43 of 62
AS OF April 9 ,2010
Procure products (e.g., access points,
stations, cryptologic modules) that will meet
regulatory, contractual, legal and University
operational and security requirements for
confidentiality, integrity, and availability
(e.g., WPA2 certified, AES). Procure
authentication server and access points that
can communicate in a secure manner and
have time-stamp syncing capability with
each other. Procure access points that can
be configured to secure sessions and data
(e.g., authorize sessions for a specific time
period; terminate sessions after a specific
time period; log security events and forward
them to central logging server; and can
support authentication and encryption for
administrative sessions; can support
secure, independent management interface
for administrative tasks).
Use formal project management
methodology to implement. Use strong,
unique passwords for each access point.
Disable all unneeded services on access
points. Use strong authentication protocol
(e.g., WPA2) on access points and disable
WEP. Turn on logging to identify security
and system issues. Establish secure trust
relationship between access points and
authentication server to prevent
eavesdropping and masquerading.
Manage keys to reduce likelihood they will
be compromised. Use third party security
professionals to implement if in-house
resources do not have required skills.
 WIRELESS DATA NETWORK RISK ASSESSMENT AS OF April 9 ,2010

9 Inadequate Increased vulnerabilities due to the lack of Test and deploy patches. Change
Wireless Network regular maintenance. (Has the University passwords regularly. Periodically update
Operations & identified who will perform maintenance; certificates. Manage keys to reduce
Maintenance perform first, second, and third-level support; compromise (e.g., regular updating,
perform log management and monitoring unique). Review audit logs regularly.
functions? Have administrators been trained to Inventory access points and devices that
perform their assigned tasks? Does the connect to the wireless network. Perform
University have documented processes that will periodic wireless network security
effectively manage, maintain, and secure the assessments. Apply organization's security
wireless network?) settings to access points after every access
point reset. Provide ongoing training to
system administrators.

10 Incorrect Wireless Inappropriate retention of sensitive data. (Has
Network Asset the University identified who and how
Disposition components will be retired and sanitized; and
how long and on what media information and
logs will be retained to meet legal
requirements?)
Develop and implement processes to
remove information (e.g., passwords, keys,
sensitive configuration information) from
devices when they are retired. If a central
logging server does not exist, retain the log
information on media for future review.
Retain information based on data retention
policy. Document process and periodically
review archived information.

11 Inadequate Change Unauthorized changes. (Does the University let Employ standard change control
Control employees set up their own access points methodology to modify or upgrade wireless
without approval of wireless network functional network.
manager? Can network administrators make
changes without notifying management and
users? Are changes tested prior to placing
them into production?)

Access &
Authorization

Page 44 of 62
 WIRELESS DATA NETWORK RISK ASSESSMENT
12 Unauthorized Exposure of sensitive data. (Attackers can
Session/Data monitor and intercept communication between
Interception two legitimate parties to obtain authentication
credentials and data (i.e., man-in-the-middle
attack). Attacker can masquerade as
legitimate user to gain access to unauthorized
information. Attacker can set-up up a rogue
access point which would look like an
authorized access point. Attacker can delete,
add, change, or reorder legitimate messages it
has intercepted.)
13 Unauthorized Data Data integrity is unreliable. (Attacker gains
Access unauthorized access by impersonating an
authorized user.)
Sustainability of
Services
14 Deliberate Unavailability of data or network systems.
Disruption of (Attacker can prohibit the normal use of or
Services management of network devices or the entire
network (i.e., denial of service attack).)
Page 45 of 62
AS OF April 9 ,2010
Design radio coverage to minimize
interception. Place access points and
antenna to concentrate coverage in desired
coverage area. Monitor area outside of
coverage area to identify intruders. Monitor
coverage area for unauthorized access
points. Employ encryption (e.g., IPSec,
SSL), using protocol consistent with
regulations and contracts, to protect data.
Configure network devices to reduce risk of
unauthorized access: suppress broadcast of
SSID; employ security protocol that
facilitates authentication and encryption of
data packets; register legitimate station
MAC addresses and disallow connections
from any others; segment network so
sensitive data is not exposed to individuals
who do not require access to sensitive data;
employ VPN between client and access
point outside firewall. Secure data stored
on wireless devices should be secure (e.g.,
use encryption, passwords, locks).
Design radio coverage to minimize risk of
jamming. Regularly survey radio band for
possible jammers. Perform regular physical
surveillance to identify intruders and
jammers. Disable SNMP protocol if it is not
required.
 WIRELESS DATA NETWORK RISK ASSESSMENT
15 Inadvertent Inadequate user awareness of actions causing
Disruption of the unavailability of data or network systems.
Services (Objects in the intended coverage zone (e.g.,
solid surfaces that block light, microwaves) can
interfere with wireless transmission. User can
disrupt operations for all users by transferring
large size files for extended period.)
16 Inadequate Backup data and/or systems are unavailable.
Continuity of (What happens if the wireless network is
Services unavailable for an extended period? What
happens if users are unable to access the
wireless network?)
Security &
Assurance
17 No Risk Exposure to unidentified risks not currently
Assessment being managed. (Does the University identify
Process and assess the risks of wireless threats to its
architecture and business? Has the University
identified the value of assets that may be
exposed to wireless risks? Has the University
identified the level of risk it is willing to
assume?)
18 Unauthorized Unintended increased exposure of data. (Does
Devices Connect to the University manage security of devices that
Wireless Network connect to the wireless network? Can
unsecure or infected machines connect to the
University network? Wireless machines are
often at greater risk than machines that
connect to the network via wires.)
Page 46 of 62
AS OF April 9 ,2010
Evaluate wireless network coverage area to
identify possible sources of interference.
Follow manufacturer's guidance for placing
access points. Test coverage to identify
disruption. Regularly survey radio band for
objects which could interfere with radio
coverage. Perform regular physical
surveillance to identify intruders and
jammers. Document in policies and
standards the impact and acceptable file
transfer size. Educate users on need to
minimize the transfer of large size files.
Implement disaster recovery/business
continuity plans. Document processes and
help desk functions that can help resolve
users access problems.
Perform periodic risk assessment of
wireless technologies, University network
architecture, vulnerabilities, and threats.
Identify how much risk the University is
willing to assume in use of the wireless
network.
Establish and enforce machine
configuration standards (e.g., antivirus,
firewall, patches, machine & account
configurations) to manage wireless risks.
Configure devices to only be able to
connect to valid access points. Inventory
devices that connect to the network.
Disable ad hoc mode on the devices unless
there is a requirement for peer-to-peer
networking.
 WIRELESS DATA NETWORK RISK ASSESSMENT
19 Compromised Unauthorized system access. (Breach of the
Authentication authentication server would enable an intruder
Server & Access to access the network and University
Points information. If access points are compromised,
intruders can access network.)
20 No Asset Monitoring Inappropriate system use. (Does University
have tools to monitor network usage,
performance, and threats to wireless network?) processes that will facilitate event
21 Inadequate Incident Insufficient recovery plan. (Does team and
Response processes exist to respond to security incidents
Capability or disruption of service? Does the University
know who to contact if a security incident
occurs?)
22 Inadequate Training Inadequate training. (Have network users
been trained on risks associated with wireless
networks? Have users been trained on how to
manage those risks? Have network
administrators been trained on how to
configure and manage the wireless network
components?)
Page 47 of 62
AS OF April 9 ,2010
Authentication server should be considered
and secured as a high-value, sensitive
University asset. Security should include
antivirus software, regular patching, account
and machine configurations, and physical
security controls to minimize access.
Access points should be configured with
strong authentication and encrypted
communications. Both devices should have
capability to easily receive patches and
firmware upgrade.
Identify events that will be logged and
reviewed. Develop and implement
monitoring. Deploy and use tools that can
monitor network bandwidth usage. Deploy
and use tools that can detect and prevent
network intrusions. Deploy and use tools
that can detect unauthorized access points
and devices trying to connect to the
network. Deploy and use tools that can
identify vulnerabilities in devices that try to
access the network.
Team should exist that can execute
response to specific wireless networks
incidents. Documented incident response
practices should exist to facilitate prompt,
effective, and efficient responses.
University should develop documented list
of key personnel (e.g., key University
personnel, law enforcement officials) to
contact if incident occurs. Communication
strategy should exist.
Train wireless network users on acceptable
and secure use of the network. Train users
on how to secure their mobile devices.
Train administrators on proper and secure
management of wireless network.
 Ri
sk
Ra
Pr nk
M ima in
iti r
ga y g
te Po
Ri in t
Cu sk o
fC
Ri rre on
sk n ta
tS ct
t ra to
te
De g ie
sc s
rip fo
rM
t io iti
n ga
of tin
M g
on
ito
rin
g
in
Co Pl
m ac
m e
en
t

Page 48 of 62
WIRELESS DATA NETWORK RISK ASSESSMENT
AS OF April 9 ,2010
WIRELESS DATA NETWORK RISK ASSESSMENT AS OF April 9 ,2010

Page 49 of 62
WIRELESS DATA NETWORK RISK ASSESSMENT AS OF April 9 ,2010

Page 50 of 62
WIRELESS DATA NETWORK RISK ASSESSMENT AS OF April 9 ,2010

Page 51 of 62
WIRELESS DATA NETWORK RISK ASSESSMENT AS OF April 9 ,2010

Page 52 of 62
WIRELESS DATA NETWORK RISK ASSESSMENT AS OF April 9 ,2010

Page 53 of 62
WIRELESS DATA NETWORK RISK ASSESSMENT AS OF April 9 ,2010

Page 54 of 62
 INFORMATION SECURITY RISK ASSESSMENT

t
sk tac

r
sk fo
Ri n
sk
sk

ig t [1

is Co
o
Ri
Ri

Ri s
)

)t

e ie
at

(H c
e/

Th o f
of

th g
ow

5 pa
re

h)
su

g ate
n on

t e in t
Th
ry

o Im
(L
Is

tio p ti
go

ga o

tin Str
g
of

[1

iti P
)t l a

in
n a ri
te

ow ti
la sc

M ry

ga t
] d

nk

iti n
Ca

n
h) o

to rima
(L t e

M rre
xp De

Ra
ig iho

M s
Po

Cu

De
(E i sk

(H ik e l

sk

P
R

Ri
L
Management
Processes
1 Lack of Risk "Risk Assessment" processes consist of risk
Assessment assessments, vulnerability scanning, and security
classification of assets. Lack of risk assessment
processes could lead to lack of insight into
changing security vulnerabilities and threats;
ineffective responses to security issues; missed
opportunities; and inefficient use of resources.

2 Lack of Security "Security Planning" means information security,

Planning rules of behavior, and privacy requirements are
considered in organizational planning. If
information security is not considered in
organizational planning, systems and users could
be exposed to threats; and unnecessary resources
may be expended after an incident occurs.

3 Lack of Security "Security System & Services Acquisition"

System & Services processes identify need for organizations to
Acquisition consider information security issues in SDLC;
ensure third-party service providers employ
adequate security to protect assets; and employ
software usage restrictions. If organization's SDLC
and project management methodology does not
consider information security, essential security
functionality may be excluded or misconfigured.
This exclusion or misconfiguration may expose
users to exploitation and necessitate additional
expenditure of funds to reconfigure systems.

4 Lack of Security "Security Assessments & Authorization" process

Assessments & identifies need for periodic assessment of security
Authorizations controls. If organization does not periodically
assess security controls, it may not know if controls
are misconfigured. This could lead to compromise
and exploitation of employee and client
information.

Page 55 of 62
 INFORMATION SECURITY RISK ASSESSMENT
5 Lack of Program "Program Management" process identifies need to
Management develop, document, and implement an
organization-wide information security program
that considers the other 17 identified controls.
Lack of program management increases risk that
all controls are not considered.

Operational
Processes
6 Lack of Personnel "Personnel Security" identifies need to assess
Security Processes trustworthiness of potential employees; and the
need to protect organizational assets after
employee leaves organization. If organization
does not have processes to screen personnel prior
to employment, organization risks hiring
untrustworthy individuals. If organization does not
have standard practices to manage personnel
terminations and transfers, organization risks loss
of assets and exploitation of data by unauthorized
individuals.

7 Lack of Physical & "Physical & Environmental Protection" addresses

Environmental need to protect infrastructure that supports
Protection systems; and need to limit physical access. Lack
of physical security controls exposes physical
assets to damage, theft, and misconfiguration. It
also creates potential for disruption of service.

8 Lack of "Maintenance" processes address requirement to

Maintenance perform periodic and timely maintenance; and to
control the resources used to conduct
maintenance. Lack of formal regular and
preventative maintenance processes increases
potential for system misconfiguration and outages.

9 Lack of Media "Media Protection" addresses need to protect

Protection paper and digital media generated by systems.
Lack of proper protection of paper and digital
media exposes information on the media to
viewing by unauthorized individuals. This could
lead to exploitation of information.

10 Lack of "Configuration Management" addresses need to

Configuration establish standard system configuration across
Management system lifecycle; and processes to manage
changes. Lack of standard, enforced system
configuration creates potential for numerous
system configurations. This may lead to degraded
maintenance; unnecessary costs to maintain
multiple configurations; and exploitation of
misconfigured devices.

Page 56 of 62
 INFORMATION SECURITY RISK ASSESSMENT
11 Lack of System & "Systems & Information Integrity" addresses
Information practices that can protect system from
Integrity vulnerabilities (e.g., patching, anti-malware
software; email content filters; system monitoring;
and integrity checks). Lack of timely patching
exposes systems to threats that will exploit
unpatched vulnerabilities. Lack of anti-malware
software creates potential for exploitation by
viruses and Trojan horses. Lack of email filters
create potential for unwanted emails, malware
infections, phishing attacks, dissemination of
sensitive information, and system degradation.
Lack of system monitoring leaves organization and
users susceptible to changing threats. Lack of
data integrity checks increases potential that data
has been altered.

12 Lack of "Continuity Planning" addresses plans for backup

Contingency operations, emergency responses, and post-
Planning disaster recovery. Lack of contingency planning
increases potential that critical services and data
will not be available when needed or after an
outage. This could lead to disruption of services
and damaged reputation.

13 Lack of Security "Incident Response" addresses processes to

Incident Response respond to security incidents (e.g., malware
infections, web site defacements, unauthorized
intruders). Lack of incident response processes
increases potential for degraded operations;
extended disruption of services; and compromised
information.

14 Lack of Security "Security Awareness & Training" addresses need

Awareness & for security awareness and training of managers,
Training users, and administrators. Lack of security
awareness & training increases potential for user
actions or inaction that could endanger
confidentiality, integrity & availability of information.

Technology

15 Lack of "Identification & Authentication" addresses need to

Identification & identify system users and verify their identities prior
Authentication to allowing access. Inability to uniquely identify
system users increases difficulty of identifying
specific user actions; and difficulty in assigning
corrective action to specific individuals.

Page 57 of 62
 INFORMATION SECURITY RISK ASSESSMENT
16 Lack of Access "Access Control" addresses need to limit system
Control access to authorized users and processes.
Inability to limit access to specific information
creates potential that unauthorized individuals or
processes may access, delete, steal, or corrupt
information they are not authorized to access.

17 Lack of System & "System & Communication Protection" is designed

Communication to ensure confidentiality, integrity, and availability of
Protection information in transit and at rest (e.g., firewall,
cryptography, VOIP). Lack of security controls at
the boundaries creates potential for exploitation of
organization information and systems.

18 Lack of Audit & "Audit & Accountability" addresses creation,

Accountability protection, and review of audit records. Lack of
auditing increases difficulty of troubleshooting
system issues, managing user actions, and
complying with regulations and laws.

Background
1
2
3
4
5

Page 58 of 62
 INFORMATION SECURITY RISK ASSESSMENT

e
ac
g of
Pl
rin n
in
ito ptio

t
o n ri

en
M esc

m
m
D

Co

Page 59 of 62
INFORMATION SECURITY RISK ASSESSMENT

Page 60 of 62
INFORMATION SECURITY RISK ASSESSMENT

Page 61 of 62
INFORMATION SECURITY RISK ASSESSMENT

Page 62 of 62