Given the serious security risks to information technology (IT) assets, managing those risks effectively is an essential task for the University and its departments. The process is one that will benefit both the individual department and the University as a whole. Completing such a risk management process is extremely important in today’s advanced technological world. It is important that management understand what risks exist in their IT environment, and how those risks can be reduced or even eliminated.
Like fire insurance, the IT Security Risk Management (ITS-RM) is a form of protection that the University simply can’t afford not to have. The University has business processes, research and instructional efforts, and legally protected data that depend on IT assets that the institution cannot afford to lose or have exposed. Unfortunately, these IT assets are subject to an increasing number of threats, attacks and vulnerabilities against which more protection is continually required. The ITS-RM program is an essential component in this overall effort.
Although the ITS-RM program will likely be welcomed by departments that have already experienced loss of mission-critical IT resources, many will not fully appreciate the need for assessment and planning. Consequently, a University policy regarding participation is necessary.
A University policy requiring all departments to participate in the ITS-RM program was approved 11/18/04. This policy is available here. The ITS-RM program will apply to Agencies 207 (Academic Division), 209 (Medical Center) and 246 (College at Wise). All departments will complete their first iteration of the process by July 1, 2007, with department heads (or higher) responsible for approving the submitted reports. (See section III. F. for complete reporting requirements.)
Those departments wishing to begin this important task may use the information, templates and tools provided in this document to initiate the IT security risk management process.