Professional Documents
Culture Documents
A. Overview:
Risk is defined as the "possibility of an event occurring that will have an impact on the achievement of objectives." Organization
exposed to a wide variety of risks every day. The impact of these risks could affect an organization's finances, operations, lega
or reputation. To effectively manage these risks, management should have a process to identify, assess, prioritize, and manage
This file contains five tabs to help you identify and assess risks for your organization or project. The following summarize the fiv
• Template Overview & Definitions. This tab defines terms used in the Risk Assessment Template and steps for completing you
assessment. The definitions and steps are in sections B and C of this tab.
• Blank Risk Assessment Template. This tab contains the columns headings you can use to create your risk assessment. It is d
to be flexible enough to develop a risk assessment for a unit, department, process, or project. You can identify your own catego
and descriptions. You may also choose to cut, paste or modify risks included in the three sample tabs.
• Business Risk Assessment Sample. This sample risk assessment identifies common "business" risks associated with a unive
• IT Risk Assessment Sample. This is a sample risk assessment for an information technology issue -- wireless data networks.
uses a different set of categories than the Business Risk Assessment Sample. Please note that rows eight through 15 identify
associated with the complete lifecycle of an information technology project.
• Security Risk Assessment Sample. This is a sample risk assessment for an organization's information security program and p
B. Definition of Terms:
TEMPLATE TERM
Category of Risk
Issue/Risk
Risk Ranking
1. Use a brainstorming process to identify the issues, uncertainties, and risks you are concerned about. You do not need to wo
the likelihood of it occurring at this stage. When you are done, place these "issues/risks" in the column of the Risk Assessment
Issue/Risk. If you want, you can group these into common categories. If you do group them, you can place the category label
column called "Category."
Page 1 of 62
RISK ASSESSMENT OVERVIEW DEFINITIONS
2. Next, review each risk and issue you identified and describe it in one to three sentences. As you describe the issue/risk, con
threats, vulnerabilities, and impact if the risk is not managed. Place this information in the column called "Risk Description."
3. Now consider the impact if the risk is not managed. Consider the scope of the impact (e.g., university, department, section)
business, operational, and reputational impact. Rank the level of impact from 1 (Low) to 5 (High).
4. Now consider the likelihood of bad consequences occurring with the current policies, procedures, practices, and technology
in place to manage the risks. Rank the likelihood of impact from 1 (Low) to 5 (High).
5. As you complete steps 3 and 4, the risk assessment will automatically calculate the "Risk Ranking" of the issue/risk by multip
impact of the risk by its likelihood of occurrence. The higher the number, the greater the risk to your organization.
6. Now identify who or what organization is managing the risk now. Place the name in the column called "Primary Point of Con
Mitigate This Risk."
7. Now identify how the risk is being managed now. Consider policies, procedures, technologies, and manual practices. Place
controls in the column called "Current Strategies for Mitigating the Risk."
8. Next, identify who and how the organization is monitoring the controls to ensure the risk is being managed. Place this inform
the column called "Description of Monitoring in Place."
9. Finally, review the list for accuracy. Note the risks which scored the highest. Use this as a guide to determine which risks to
You should consider taking action to manage the risks that have the highest Risk Ranking. Because the priority of risks does n
constant, you should regularly update this assessment.
Page 2 of 62
RISK ASSESSMENT OVERVIEW DEFINITIONS
event occurring that will have an impact on the achievement of objectives." Organizations are
y day. The impact of these risks could affect an organization's finances, operations, legal standing,
hese risks, management should have a process to identify, assess, prioritize, and manage them.
identify and assess risks for your organization or project. The following summarize the five tabs:
is tab defines terms used in the Risk Assessment Template and steps for completing your risk
s are in sections B and C of this tab.
his tab contains the columns headings you can use to create your risk assessment. It is designed
assessment for a unit, department, process, or project. You can identify your own categories, risks,
se to cut, paste or modify risks included in the three sample tabs.
This sample risk assessment identifies common "business" risks associated with a university.
a sample risk assessment for an information technology issue -- wireless data networks. Thus, it
the Business Risk Assessment Sample. Please note that rows eight through 15 identify risks
of an information technology project.
This is a sample risk assessment for an organization's information security program and practices.
DEFINITION
This is an optional column. You can use this to categorize risks you identified in the
Issue/Risk column.
In this column, briefly identify the risk or issue with which you are concerned.
This column describes the risk associated with the Issue/Risk identified in the previous
column. You can also use this column to identify more information on other risks you
identified. Consider what can go wrong if this risk is not managed.
Use this column to identify the impact to your organization if the issue/risk were to
occur. You should rank the risk from Low (1) to High (5).
Use this column to determine the likelihood of the issue/risk actually occurring. You
should rank the risk from Low (1) to High (5).
This column automatically generates the risk score by multiplying the Potential Impact
by the Likelihood. The higher the number, the greater the risk to the organization.
Use this column to identify the organization or person who is responsible for
managing/mitigating the risk. This can be internal or external to your organization.
Use this column to identify how this risk is being managed/mitigated. Possible
strategies may consist of existing policies and procedures; manual reviews; and
technology to manage the risk.
Use this column to identify what you are doing to monitor the risk, or monitoring the
person or organization responsible for mitigating the risk.
This is an optional column, which you can use to include special notes or comments.
ssessment:
ntify the issues, uncertainties, and risks you are concerned about. You do not need to worry about
ge. When you are done, place these "issues/risks" in the column of the Risk Assessment called
p these into common categories. If you do group them, you can place the category label in the
Page 3 of 62
RISK ASSESSMENT OVERVIEW DEFINITIONS
ou identified and describe it in one to three sentences. As you describe the issue/risk, consider
e risk is not managed. Place this information in the column called "Risk Description."
is not managed. Consider the scope of the impact (e.g., university, department, section) and the
l impact. Rank the level of impact from 1 (Low) to 5 (High).
consequences occurring with the current policies, procedures, practices, and technology you have
e likelihood of impact from 1 (Low) to 5 (High).
risk assessment will automatically calculate the "Risk Ranking" of the issue/risk by multiplying the
ccurrence. The higher the number, the greater the risk to your organization.
ion is managing the risk now. Place the name in the column called "Primary Point of Contact to
managed now. Consider policies, procedures, technologies, and manual practices. Place the
Strategies for Mitigating the Risk."
anization is monitoring the controls to ensure the risk is being managed. Place this information in
toring in Place."
Note the risks which scored the highest. Use this as a guide to determine which risks to manage.
manage the risks that have the highest Risk Ranking. Because the priority of risks does not remain
this assessment.
Page 4 of 62
C
at
eg
or
y
Is
su
e/
R
R is
k
(E isk
xp D
la e s
na cr
tio ip
n tio
of n
Th
re
at
(L te
Po )
ow n
) t tial
o Im
5 p
Li (H a
(H ke ig ct
ig lih h) [1
h) o
o ]
] d
[1
(L
ow
R
is )t
k o
R 5
an
Pr ki
Page 5 of 62
C im ng
Th on ar
is tac y P
R tt o
is o in
k M to
iti f
ga
te
C
M u rr
Risk Assessment Discussion Tool
iti e
ga nt
tin St
g rat
th eg
e ie
R s
is f
k or
D
M es
on cr
ito ipt
rin ion
g o
in f
Pl
ac
e
C
om
Risk Assessment Discussion Tool
Page 6 of 62
Risk Assessment Discussion Tool
Page 7 of 62
Risk Assessment Discussion Tool
t
en
m
om
C
Page 8 of 62
Risk Assessment Discussion Tool
Page 9 of 62
Risk Assessment Discussion Tool
Page 10 of 62
RISK ASSESSMENT DISCUSSION TOOL
t
or
ow
k ac
5
o
is t
s on
(L
R on
)t
at
k
es cti
re
ow
1
is f C
is
ng
of n
t[
Th
R
oc n
n ti o
(L
Th t o
ac
Pr F u
ki
of
t io ip
an
1
h) p
te i n
s -
d[
y
ig l Im
na cr
ga Po
R
es sk
or
o
la es
ga t
k
h) o
eg
]
in /Ri
iti en
(H i a
i ti y
is
ig lih
xp D
M ar
5 nt
at
M urr
us e
(E isk
]
(H e
to im
B su
to ote
C
C
Li
R
Pr
Is
P
Executive Issue/Risk Executive Management controls
Management are the responsibility of Senior
Controls University Administration. They
include the following over-
arching activities:
Page 11 of 62
RISK ASSESSMENT DISCUSSION TOOL
c. Decision making is prejudiced
or based on biased information.
c. Ineffective marketing/public
relations.
d. Special interests drive the
University's priorities.
Page 12 of 62
RISK ASSESSMENT DISCUSSION TOOL
b. The organizational goals and
objectives are not developed,
communicated, and monitored for
achievement.
d. Insufficient recognition or
incentives for instructional quality.
e. Ineffective academic
administrator selection and
training.
f. Failure to establish and maintain
entrance quality standards that are
consistently and equitably applied.
Page 13 of 62
RISK ASSESSMENT DISCUSSION TOOL
a. Insufficient revenues to sustain
teaching, research, student
housing, research facilities, and
the University infrastructure.
b. An allocation of resources
among academic programs that
does not reflect UNL’s priorities
(mission, objectives).
c. An over-commitment of
resources by the University or
unexplained deviations from the
budget.
d. A violation of the public's trust
and confidence by improperly
using, or mismanaging state
funds.
Page 14 of 62
RISK ASSESSMENT DISCUSSION TOOL
a. The College's/Department's
goals and objectives are missing
or obsolete.
b. Objectives and goals are
misaligned with the
College's/Department's strategic
plan.
c. The College's/Department's
goals and objectives are not
measurable.
d. Staff is unaware of the
College's/Department's objectives
and/or status of attaining goals is
unknown or unmonitored.
a. The College's/Department's
policies are obsolete, incomplete,
inaccessible and/or misunderstood
by staff and faculty.
Page 15 of 62
RISK ASSESSMENT DISCUSSION TOOL
a. Inadequate cash handling
procedures to identify and prevent
cash misappropriations or lost
cash receipts.
e. Unrecorded receivables or
untimely posted receivables.
g. Improper valuation of
allowance for doubtful accounts
and/or inappropriate account
write-offs.
Page 16 of 62
RISK ASSESSMENT DISCUSSION TOOL
e. Unapproved work
authorizations or work authorized
only after work commenced.
f. Ambiguous construction
contract templates that fail to
represent the best interests of the
University.
a. improper classification or
recording of transactions in
accordance with University and
regulatory standards.
e. Unauthorized, untimely, or
inaccurate departmental charge
backs (inter-departmental
charges).
f. Inappropriate year-end cut-off
procedures and closing entries.
Page 17 of 62
RISK ASSESSMENT DISCUSSION TOOL
5 Health & Safety Health and safety procedures and
training are administered by
Environmental Health and Safety.
These procedures are designed to
mitigate against the following
risks.
d. Non-existent or inadequate
performance measures and
reviews.
e. No procedures to address
unsatisfactory performance
expectations.
Page 18 of 62
RISK ASSESSMENT DISCUSSION TOOL
a. Unauthorized or "ghost"
employees are issued salary
payments.
b. Employee payroll deductions
are not made as authorized by the
employee.
c. Insufficient payroll funds are
retained for social security tax,
retirement withholding, income tax
withholding, and medical benefits.
g. Outdated, inadequate, or
ambiguous contract templates.
Page 19 of 62
RISK ASSESSMENT DISCUSSION TOOL
h. Lack of a process to ensure
that only authorized personnel
procure goods and services.
a. Unrecorded or undervalued
capital assets.
e. Significant discrepancies
between inventory records and
departmental accounting records.
Page 20 of 62
RISK ASSESSMENT DISCUSSION TOOL
11 Risk Management UNL's Risk Management should
be contacted in the event of
property damage or theft losses.
Risks may include:
Page 21 of 62
RISK ASSESSMENT DISCUSSION TOOL
13 Student Affairs Student Affairs is responsible for
creating a supportive environment
for student learning. Risks
include:
a. Inadequate student housing
and/or meals are not made
available to students at a
reasonable cost.
b. Inappropriate exposure of
confidential student records.
d. Ineffective governance of
student organizations.
Page 22 of 62
RISK ASSESSMENT DISCUSSION TOOL
Departmental/ Process Effective key business
Unit Controls processes help to assure
(May include college and departmental
processes in objectives are met. Listed
the System- below are some key business
wide Controls processes with some of the
section above) associated risks.
Page 23 of 62
RISK ASSESSMENT DISCUSSION TOOL
c. The quality of the goods and
services is inferior and inadequate
to meet the business needs of the
College/Department.
Page 24 of 62
RISK ASSESSMENT DISCUSSION TOOL
b. There is no review of the travel
claim for reasonableness and
business purpose.
Page 25 of 62
C
M urr
iti e
ga nt
ti n S t
g rat
th eg
D e ie
M s e R s
on cr is f
k or
ito ipt
rin ion
g o
in f
C Pl
ac
om
m e
en
t
Page 26 of 62
RISK ASSESSMENT DISCUSSION TOOL
RISK ASSESSMENT DISCUSSION TOOL
Page 27 of 62
RISK ASSESSMENT DISCUSSION TOOL
Page 28 of 62
RISK ASSESSMENT DISCUSSION TOOL
Page 29 of 62
RISK ASSESSMENT DISCUSSION TOOL
Page 30 of 62
RISK ASSESSMENT DISCUSSION TOOL
Page 31 of 62
RISK ASSESSMENT DISCUSSION TOOL
Page 32 of 62
RISK ASSESSMENT DISCUSSION TOOL
Page 33 of 62
RISK ASSESSMENT DISCUSSION TOOL
Page 34 of 62
RISK ASSESSMENT DISCUSSION TOOL
Page 35 of 62
RISK ASSESSMENT DISCUSSION TOOL
Page 36 of 62
RISK ASSESSMENT DISCUSSION TOOL
Page 37 of 62
RISK ASSESSMENT DISCUSSION TOOL
Page 38 of 62
RISK ASSESSMENT DISCUSSION TOOL
Page 39 of 62
RISK ASSESSMENT DISCUSSION TOOL
Page 40 of 62
WIRELESS DATA NETWORK RISK ASSESSMENT AS OF April 9 ,2010
of
5
S
n
o
t io
CE
)t
na
ow
TI
la
AC
(L
xp
PR
[1
sk
(E
ry
Ri
ct
go
ST
n
o
pa
e/
io
te
(L
BE
su
Im
pt
Ca
[1
ri
Is
h) a l
at sc
d
RO
ig ti
oo
re De
(H o t e n
NT
li h
]
)
T h i sk
ke
CO
P
R
Li
Strategy
1 Lack of Ineffective goverence, which inhibits the Management defines the overall purpose of
Governance effective use of resources for the achievement the network; identifies who is authorized to
Strategy of identified strategic goals. (Has University use the network and for what purpose;
management identified the purpose and identifies what information can be
acceptable use of the wireless network; who is transmitted over the network; and identifies
allowed to use the network; who is responsible who will set standards, establish service
for setting standards; who is responsible for levels, and procure and maintain network
managing the network; and who can grant components.
exemptions?)
2 Lack of Regulatory, Noncompliance with regulatory and statutory Periodically review regulations and
Contractual, & requirements. (Has the University identified the contracts to understand data management
Legal Requirements applicable regulations that govern use of radio and disclosure requirements. Identify
waves and applicable protocols for the wireless protocols and security standards that will
network? Has the University identified meet regulatory, contractual, and legal
applicable laws that govern privacy and use of requirements
networks? Does the University have specific
contract requirements on how partner data will
be handled or managed in the event of data
compromise?)
3 Lack of Policies, Noncompliance with policies and procedures. Develop documented policies on use of
Standards, & (Does the University have documented policies network. Develop policies on how network
Procedures and procedures that identifies who and what and keys will be managed. Identify
devices can access its wireless network and standards that will govern how connections
the "acceptable use" of its network? Does the will be made to the network (e.g., IEEE
University have polices on processes that 802.11ix/Extensible Authentication
govern management of wireless network (e.g., Protocol), encryption standards (e.g., AES
operations, key management, authentication, encryption), and authentication methods
incident response)?) (e.g., user ID & password, biometrics, smart
cards).
Page 41 of 62
WIRELESS DATA NETWORK RISK ASSESSMENT AS OF April 9 ,2010
4 Lack of Current policies, procedures and management Regular communication on acceptable use
Management expectations are not communicated to faculty of wireless network. Conduct initial and
Communication and staff. (Has Management communicated its recurring training for regular users of
policy on acceptable use of wireless network?) network (e.g., University-employees,
students). Conduct training on acceptable
use for short-time users of network (e.g.,
guests, contractors).
Life Cycle
Management
5 Poorly Implemented Undefined project parameters and goals. (Has Use formal project management
Initiation Phase the University performed an initial assessment methodology. Perform risk assessment to
of the wireless network requirements before it identify and evaluate wireless network
designs, implements, or upgrades it? Has the threats and their impact. Document
University identified high-level requirements wireless acceptable use policy that specifies
and stakeholders? Has management who is authorized to use the network and
approved the project and budget?) for what purpose. Identify high-level
operational, technical, and security
requirements. Mandate all connections use
industry-approved standards (e.g., IEEE
802.11) to facilitate subsequent life cycle
management phases.
6 Inadequate Lack of resources necessary for completion of Use formal project management
Wireless Network the project. (Has the University identified: methodology to plan and design. Identify
Planning & Design project scope and expected deliverables; detailed functional, operational, technical,
correct team members and budget; schedule of and security requirements. Conduct site
activities that need to be considered to meet survey to determine proper location of
requirements; functional requirements; access points. Identify standards for
technical, and security characteristics of the authentication that will meet regulatory,
wireless network components; various clients contractual, and legal requirements. Plan
who will use the wireless network; and for dedicated Virtual LAN (VLAN) to
resources needed to procure, operate, and facilitate access point connections to wired
maintain the wireless network and network. Plan for dedicated management
components?) VLAN to facilitate wireless network
administrative tasks. Plan to install network
firewall between wireless network and wired
network, if unauthenticated users are using
the wireless network. Use third party
security professionals to implement, if in-
house resources do not have required skills.
Page 42 of 62
WIRELESS DATA NETWORK RISK ASSESSMENT AS OF April 9 ,2010
7 Inappropriate Inappropriate or unapproved purchases. (Has Procure products (e.g., access points,
Wireless Network the University: identified the components of the stations, cryptologic modules) that will meet
Procurement wireless network; considered security and regulatory, contractual, legal and University
maintenance requirements of the components; operational and security requirements for
considered upgrade path of network and confidentiality, integrity, and availability
components; procured components that will (e.g., WPA2 certified, AES). Procure
meet functional, technical, and security authentication server and access points that
requirements?) can communicate in a secure manner and
have time-stamp syncing capability with
each other. Procure access points that can
be configured to secure sessions and data
(e.g., authorize sessions for a specific time
period; terminate sessions after a specific
time period; log security events and forward
them to central logging server; and can
support authentication and encryption for
administrative sessions; can support
secure, independent management interface
for administrative tasks).
Page 43 of 62
WIRELESS DATA NETWORK RISK ASSESSMENT AS OF April 9 ,2010
9 Inadequate Increased vulnerabilities due to the lack of Test and deploy patches. Change
Wireless Network regular maintenance. (Has the University passwords regularly. Periodically update
Operations & identified who will perform maintenance; certificates. Manage keys to reduce
Maintenance perform first, second, and third-level support; compromise (e.g., regular updating,
perform log management and monitoring unique). Review audit logs regularly.
functions? Have administrators been trained to Inventory access points and devices that
perform their assigned tasks? Does the connect to the wireless network. Perform
University have documented processes that will periodic wireless network security
effectively manage, maintain, and secure the assessments. Apply organization's security
wireless network?) settings to access points after every access
point reset. Provide ongoing training to
system administrators.
10 Incorrect Wireless Inappropriate retention of sensitive data. (Has Develop and implement processes to
Network Asset the University identified who and how remove information (e.g., passwords, keys,
Disposition components will be retired and sanitized; and sensitive configuration information) from
how long and on what media information and devices when they are retired. If a central
logs will be retained to meet legal logging server does not exist, retain the log
requirements?) information on media for future review.
Retain information based on data retention
policy. Document process and periodically
review archived information.
11 Inadequate Change Unauthorized changes. (Does the University let Employ standard change control
Control employees set up their own access points methodology to modify or upgrade wireless
without approval of wireless network functional network.
manager? Can network administrators make
changes without notifying management and
users? Are changes tested prior to placing
them into production?)
Access &
Authorization
Page 44 of 62
WIRELESS DATA NETWORK RISK ASSESSMENT AS OF April 9 ,2010
12 Unauthorized Exposure of sensitive data. (Attackers can Design radio coverage to minimize
Session/Data monitor and intercept communication between interception. Place access points and
Interception two legitimate parties to obtain authentication antenna to concentrate coverage in desired
credentials and data (i.e., man-in-the-middle coverage area. Monitor area outside of
attack). Attacker can masquerade as coverage area to identify intruders. Monitor
legitimate user to gain access to unauthorized coverage area for unauthorized access
information. Attacker can set-up up a rogue points. Employ encryption (e.g., IPSec,
access point which would look like an SSL), using protocol consistent with
authorized access point. Attacker can delete, regulations and contracts, to protect data.
add, change, or reorder legitimate messages it
has intercepted.)
13 Unauthorized Data Data integrity is unreliable. (Attacker gains Configure network devices to reduce risk of
Access unauthorized access by impersonating an unauthorized access: suppress broadcast of
authorized user.) SSID; employ security protocol that
facilitates authentication and encryption of
data packets; register legitimate station
MAC addresses and disallow connections
from any others; segment network so
sensitive data is not exposed to individuals
who do not require access to sensitive data;
employ VPN between client and access
point outside firewall. Secure data stored
on wireless devices should be secure (e.g.,
use encryption, passwords, locks).
Sustainability of
Services
14 Deliberate Unavailability of data or network systems. Design radio coverage to minimize risk of
Disruption of (Attacker can prohibit the normal use of or jamming. Regularly survey radio band for
Services management of network devices or the entire possible jammers. Perform regular physical
network (i.e., denial of service attack).) surveillance to identify intruders and
jammers. Disable SNMP protocol if it is not
required.
Page 45 of 62
WIRELESS DATA NETWORK RISK ASSESSMENT AS OF April 9 ,2010
15 Inadvertent Inadequate user awareness of actions causing Evaluate wireless network coverage area to
Disruption of the unavailability of data or network systems. identify possible sources of interference.
Services (Objects in the intended coverage zone (e.g., Follow manufacturer's guidance for placing
solid surfaces that block light, microwaves) can access points. Test coverage to identify
interfere with wireless transmission. User can disruption. Regularly survey radio band for
disrupt operations for all users by transferring objects which could interfere with radio
large size files for extended period.) coverage. Perform regular physical
surveillance to identify intruders and
jammers. Document in policies and
standards the impact and acceptable file
transfer size. Educate users on need to
minimize the transfer of large size files.
16 Inadequate Backup data and/or systems are unavailable. Implement disaster recovery/business
Continuity of (What happens if the wireless network is continuity plans. Document processes and
Services unavailable for an extended period? What help desk functions that can help resolve
happens if users are unable to access the users access problems.
wireless network?)
Security &
Assurance
17 No Risk Exposure to unidentified risks not currently Perform periodic risk assessment of
Assessment being managed. (Does the University identify wireless technologies, University network
Process and assess the risks of wireless threats to its architecture, vulnerabilities, and threats.
architecture and business? Has the University Identify how much risk the University is
identified the value of assets that may be willing to assume in use of the wireless
exposed to wireless risks? Has the University network.
identified the level of risk it is willing to
assume?)
18 Unauthorized Unintended increased exposure of data. (Does Establish and enforce machine
Devices Connect to the University manage security of devices that configuration standards (e.g., antivirus,
Wireless Network connect to the wireless network? Can firewall, patches, machine & account
unsecure or infected machines connect to the configurations) to manage wireless risks.
University network? Wireless machines are Configure devices to only be able to
often at greater risk than machines that connect to valid access points. Inventory
connect to the network via wires.) devices that connect to the network.
Disable ad hoc mode on the devices unless
there is a requirement for peer-to-peer
networking.
Page 46 of 62
WIRELESS DATA NETWORK RISK ASSESSMENT AS OF April 9 ,2010
19 Compromised Unauthorized system access. (Breach of the Authentication server should be considered
Authentication authentication server would enable an intruder and secured as a high-value, sensitive
Server & Access to access the network and University University asset. Security should include
Points information. If access points are compromised, antivirus software, regular patching, account
intruders can access network.) and machine configurations, and physical
security controls to minimize access.
Access points should be configured with
strong authentication and encrypted
communications. Both devices should have
capability to easily receive patches and
firmware upgrade.
20 No Asset Monitoring Inappropriate system use. (Does University Identify events that will be logged and
have tools to monitor network usage, reviewed. Develop and implement
performance, and threats to wireless network?) processes that will facilitate event
monitoring. Deploy and use tools that can
monitor network bandwidth usage. Deploy
and use tools that can detect and prevent
network intrusions. Deploy and use tools
that can detect unauthorized access points
and devices trying to connect to the
network. Deploy and use tools that can
identify vulnerabilities in devices that try to
access the network.
21 Inadequate Incident Insufficient recovery plan. (Does team and Team should exist that can execute
Response processes exist to respond to security incidents response to specific wireless networks
Capability or disruption of service? Does the University incidents. Documented incident response
know who to contact if a security incident practices should exist to facilitate prompt,
occurs?) effective, and efficient responses.
University should develop documented list
of key personnel (e.g., key University
personnel, law enforcement officials) to
contact if incident occurs. Communication
strategy should exist.
22 Inadequate Training Inadequate training. (Have network users Train wireless network users on acceptable
been trained on risks associated with wireless and secure use of the network. Train users
networks? Have users been trained on how to on how to secure their mobile devices.
manage those risks? Have network Train administrators on proper and secure
administrators been trained on how to management of wireless network.
configure and manage the wireless network
components?)
Page 47 of 62
Ri
sk
Ra
Pr nk
M ima in
iti r
ga y g
te Po
Ri in t
Cu sk o
fC
Ri rre on
sk n ta
tS ct
t ra to
te
De g ie
sc s
rip fo
rM
t io iti
n ga
of tin
M g
on
ito
rin
g
in
Co Pl
m ac
m e
en
t
Page 48 of 62
WIRELESS DATA NETWORK RISK ASSESSMENT
AS OF April 9 ,2010
WIRELESS DATA NETWORK RISK ASSESSMENT AS OF April 9 ,2010
Page 49 of 62
WIRELESS DATA NETWORK RISK ASSESSMENT AS OF April 9 ,2010
Page 50 of 62
WIRELESS DATA NETWORK RISK ASSESSMENT AS OF April 9 ,2010
Page 51 of 62
WIRELESS DATA NETWORK RISK ASSESSMENT AS OF April 9 ,2010
Page 52 of 62
WIRELESS DATA NETWORK RISK ASSESSMENT AS OF April 9 ,2010
Page 53 of 62
WIRELESS DATA NETWORK RISK ASSESSMENT AS OF April 9 ,2010
Page 54 of 62
INFORMATION SECURITY RISK ASSESSMENT
t
sk tac
r
sk fo
Ri n
sk
sk
ig t [1
is Co
o
Ri
Ri
Ri s
)
)t
e ie
at
(H c
e/
Th o f
of
th g
ow
5 pa
re
h)
su
g ate
n on
t e in t
Th
ry
o Im
(L
Is
tio p ti
go
ga o
tin Str
g
of
[1
iti P
)t l a
in
n a ri
te
ow ti
la sc
M ry
ga t
] d
nk
iti n
Ca
n
h) o
to rima
(L t e
M rre
xp De
Ra
ig iho
M s
Po
Cu
De
(E i sk
(H ik e l
sk
P
R
Ri
L
Management
Processes
1 Lack of Risk "Risk Assessment" processes consist of risk
Assessment assessments, vulnerability scanning, and security
classification of assets. Lack of risk assessment
processes could lead to lack of insight into
changing security vulnerabilities and threats;
ineffective responses to security issues; missed
opportunities; and inefficient use of resources.
Page 55 of 62
INFORMATION SECURITY RISK ASSESSMENT
5 Lack of Program "Program Management" process identifies need to
Management develop, document, and implement an
organization-wide information security program
that considers the other 17 identified controls.
Lack of program management increases risk that
all controls are not considered.
Operational
Processes
6 Lack of Personnel "Personnel Security" identifies need to assess
Security Processes trustworthiness of potential employees; and the
need to protect organizational assets after
employee leaves organization. If organization
does not have processes to screen personnel prior
to employment, organization risks hiring
untrustworthy individuals. If organization does not
have standard practices to manage personnel
terminations and transfers, organization risks loss
of assets and exploitation of data by unauthorized
individuals.
Page 56 of 62
INFORMATION SECURITY RISK ASSESSMENT
11 Lack of System & "Systems & Information Integrity" addresses
Information practices that can protect system from
Integrity vulnerabilities (e.g., patching, anti-malware
software; email content filters; system monitoring;
and integrity checks). Lack of timely patching
exposes systems to threats that will exploit
unpatched vulnerabilities. Lack of anti-malware
software creates potential for exploitation by
viruses and Trojan horses. Lack of email filters
create potential for unwanted emails, malware
infections, phishing attacks, dissemination of
sensitive information, and system degradation.
Lack of system monitoring leaves organization and
users susceptible to changing threats. Lack of
data integrity checks increases potential that data
has been altered.
Technology
Page 57 of 62
INFORMATION SECURITY RISK ASSESSMENT
16 Lack of Access "Access Control" addresses need to limit system
Control access to authorized users and processes.
Inability to limit access to specific information
creates potential that unauthorized individuals or
processes may access, delete, steal, or corrupt
information they are not authorized to access.
Background
1
2
3
4
5
Page 58 of 62
INFORMATION SECURITY RISK ASSESSMENT
e
ac
g of
Pl
rin n
in
ito ptio
t
o n ri
en
M esc
m
m
D
Co
Page 59 of 62
INFORMATION SECURITY RISK ASSESSMENT
Page 60 of 62
INFORMATION SECURITY RISK ASSESSMENT
Page 61 of 62
INFORMATION SECURITY RISK ASSESSMENT
Page 62 of 62