[ skip to content ]

More Information about this image

Handbook and paperwork for the newly hired.

Old Dominion University

Information Technology Standard

08.1.0 Risk Assessment Standard

Date of Current Revision or Creation: December 1, 2020

The purpose of an Information Technology Standard is to specify requirements for compliance with Old Dominion University Information Technology policies, other University policies, as well as applicable laws and regulations. Standards may include business principles, best practices, technical standards, migration and implementation strategies, that direct the design, deployment and management of information technology.

  1. Purpose

    The purpose of this standard is to establish responsibilities and the process for documenting system risk assessments.

  2. Definitions

    BIA Immediate Systems are information technology systems described in the triennial Business Impact Analysis (BIA), maintained centrally for University use, and are considered to require immediate recovery (1-3 business days) in support of the University's mission.

    Confidential Systems are systems that store or process data that is not explicitly defined as restricted data and is not intended to be made publicly available. Confidential data is distributed on a need-to-know basis between members of the University staff, IT systems, and specific third parties when authorized. Unauthorized exposure of this information could violate state and federal laws and/or can adversely affect the University as a whole or in part or the interests of individuals associated with the University. Confidential data may only be disclosed to a third party with the permission of the Data Owner.

    If a file which would otherwise be considered public contains an element of confidential, the entire file may be considered to be confidential information.

    Data is defined as an information asset that represents, but is not limited to, individual data elements, lists, addresses, documents, images, measurement samples, programs, program source code, voice recordings, aggregations of data, or other information in a digital format. Data in a tangible object, typically paper, is excluded from this policy, but is subject to other University policies, including, but not limited to, policies on records management and confidentiality.

    Data Owner is the individual responsible for the practice decisions of data and for approval of access to the data.

    Information Security Office is the unit within the Office of Information Technology Services (ITS) responsible for overseeing efforts to protect ODU's computing and information assets and to assist in compliance efforts with information-related laws, regulations, and policies.

    Restricted Systems are systems that contain data that may be subject to disclosure laws requiring careful management and protection to ensure their integrity, appropriate access, and availability. This information must be guarded from disclosure. Unauthorized exposure of this information could contribute to identity theft, financial fraud, and violate state and/or federal laws. Unauthorized disclosure of this data could adversely affect the University or the interests of individuals and organizations associated with the University. Systems containing restricted data must be approved by the Information Security Officer.

    Risk Treatments involve identifying the range of options for treating unacceptable risk, assessing those options, preparing risk treatment plans and implementing them.

    Risks are those factors that could affect the security, availability, and integrity of the University's key information assets and systems.

    Sensitive System is a classification given to Restricted IT systems in which the loss to confidentiality of the system or data could have a material adverse effect on the University interests or the privacy to which individuals are entitled. Systems will be designated to be either Restricted or Confidential based on the sensitivity of the data.

    System - refers to a collection of components (hardware, software, personnel, data, and/or configuration) that provides a service or fulfills a business use case, regardless of where it is hosted or who administers it.

    System Design Change is defined as any combination of changes to individual system components, or major modifications to software, hardware, or database components that effectively change the way the system operates or responds to the user. Changes include an operating system change, type of database used, changes to underlying processes such as the use of new scripting language or web development platform, a complete hardware lifecycle change, a change of hosted providers, a change of data being provided to a hosted provider to a more sensitive type of data, or a change to the authentication system being used.

    System Risk Assessment is the overall process of system risk analysis and risk evaluation, and identification of risk treatments. It is also the name of the report required as documentation.

    System Owner is the manager responsible for operation and maintenance of a University IT system, whether an on-premises system or a hosted system, service or application.

  3. Standards Statement

    Responsibilities

    The Information Security Office in Information Technology Services assists System Owners in understanding system risk assessments, and provides standard forms and directions, reviews all system risk assessments and retains the documents, reviews industry standards and activities of relevant organizations in order to improve the risk assessment process.

    The System Owner is responsible for documenting and maintaining the system risk assessment information for systems owned, and is authorized to perform all tasks necessary to perform this function.

    The Data Owner is responsible for classifying the data on the IT system as Confidential or Restricted if any type of data handled by the system has a sensitivity of high or medium on the criteria of confidentiality, defining the protection requirements for the data based on the sensitivity of the data, any legal or regulatory requirements, and business needs. Availability and Integrity are defined by the BIA designation for Recovery Point Objective and Recovery Time Objective, and are reflected in the System Risk Assessment and in the University BIA.

    System Risk Assessments

    The overall process of system risk analysis and risk evaluation, and identification of risk treatments, is formally documented in the System Risk Assessment (SRA) and the Software Decision Analysis (SDA) that are drafted by the system owners and reviewed by the ITS Information Security Office.

    New IT systems will have an SDA performed in order to determine the system classification. For systems classified as restricted, a System Risk Assessment must be completed before the system is placed into production. For systems that are classified as confidential, an SDA will serve as the initial risk review allowing the system to go into production, and a System Risk Assessment can be completed within the annual risk assessment review cycle.

    All System Owners, in collaboration with the Data Owners, must conduct and document an information security risk assessment or SDA of IT systems they own or manage as noted below:

    1. Before a system is placed in production to provide services for the University, and
    2. Whenever a system design change occurs that may alter the risks associated the classification, environment, or operation and may impact the confidentiality, integrity or availability of a system. Data Owners should be notified if such changes have occurred.
    3. Upon contract renewal for hosted systems.
    4. Annually for restricted systems and BIA Immediate systems.
    5. Systems may be combined into a single system risk assessment when warranted based combined risks and controls.

    Restricted and BIA Immediate Systems

    System Owners of Restricted or BIA Immediate systems must review and update their system risk assessment annually, when system design changes occur, when system ownership changes, and upon contract renewal for hosted services.


    Confidential Systems

    System Owners of confidential systems must review and update their system risk assessment or SDA when system design changes occur, or when system ownership changes, and upon contract renewal for hosted services.

    System Risk Assessment Documentation

    System Owners, in collaboration with the Data Owners, must complete or update the System Risk Assessment, in the form provided by the Information Security Office that includes, at a minimum, identification of all risks discovered during the assessment, major findings, risk mitigation recommendations, if any, and may be in the form of an SDA, including named compliance requirements, security responsibilities, and data owner sign-off, until and unless a system risk assessment is deemed necessary.

    All information collected or used as a part of the system risk assessment process must be formally documented and securely maintained. New or updated System Risk Assessments are provided to the Information Security Officer upon completion.

    Risk Treatment

    Risk treatment efforts should be undertaken to mitigate identified high or unacceptable risks, using appropriate administrative, technical and physical security controls.

    In the event any assessment identifies inadequate controls or a lack of compliance with controls, a risk treatment will be undertaken, reported to upper management, and tracked until compliance is achieved or mitigating controls have been established and implemented. Risk treatments should take account of the legal-regulatory and private certificatory requirements; the organizational objectives, operational requirements and constraints; and the costs associated with implementation and operation relative to risks being reduced.

    Risk treatment decisions must be must be formally documented and securely maintained. Risk treatment decisions are provided to the Information Security Officer upon completion.

    External Parties

    External parties, including partners, vendors and contractors, are responsible for managing the risks to their information assets that are accessed, processed, communicated with in accordance with the contract and any guidelines provided by the Information Security Office.

    Assistance

    This Information Security Office is available to assist System Owners in understanding the process and completing the System Risk Assessments or SDAs.

  4. Procedures, Guidelines & Other Related Information

    Federal and State Law

    University Policy 3509 - Software Decision Analysis

    ITS Standard 01.2.0 - IT Security Roles and Responsibilities

    ITS Standard 02.3.0 - Data Administration & Classification Standard

    ITS Standard 07.1.0 - Business Impact Analysis Standard

  5. History

    Date

    Responsible Party

    Action

    October 2008

    CIO/ITAC

    Created

    October 2009

    CIO/ITAC

    Reaffirmed

    October 2010

    CIO/ITAC

    Reaffirmed

    October 2011

    CIO/ITAC

    Reaffirmed

    September 2012

    CIO/ITAC

    Revised

    December 2012

    IT Policy Office

    Numbering revised; Security Office revisions

    March 2012

    CIO/ITAC

    Reaffirmed
    December 2017 CIO/ITAC Revised
    December 2020 IT Policy Office Reaffirmed

Contact

IT Project Management

IT Project Management coordinates the efforts and resources of ODU ITS to produce effective, quality solutions for the University's students.

Student Computing

Faculty & Staff Computing

Site Navigation

Experience Guaranteed

Enhance your college career by gaining relevant experience with the skills and knowledge needed for your future career. Discover our experiential learning opportunities.

Academic Days

Picture yourself in the classroom, speak with professors in your major, and meet current students.

Upcoming Events

From sports games to concerts and lectures, join the ODU community at a variety of campus events.