E. Step 4: Evaluation and Reassessment

Since risk management is ongoing, a plan is needed to review, reassess, and reimplement the plan on a regular basis. Waiting for a major event to re-introduce you to risk management is not a best practice.

In Steps 1-3 you defined your mission-critical IT assets, developed a plan to protect them against threats and vulnerabilities and provided contingencies to fall back on in cases where the protection proved inadequate. Given the rapidly changing nature of IT and IT risks, Step 4 requires regular evaluation and reassessment of the work accomplished in Steps 1-3.

Remember, ITS-RM is never a completed process: after an assessment, you create a security plan, the implementation of which will take time, from highest priority to lowest, as criticality and resources allow. By the time that plan is fulfilled, changes will have occurred in your environment requiring reassessment, although that process should get easier with each reiteration as you are working on an ever stronger security foundation.

University policy requires reassessment of your department’s ITS-RM at least every three years, but that process really needs to occur whenever the technology of your identified critical assets changes, or you complete your security plan. In particular, a reassessment is critical if the changes in your department affect the larger University community and/or dependent external entities.

Note: HIPAA requires retention for at least six years after their last effective date of compliance planning records with decisions and justifications, including the risk management portion of that planning. The OIT repository of your completed ITS-RM document can serve as a backup for departmental retention.

Below are a series of questions to help you complete your evaluation and reassessment.

  • Repeat Steps 1-3 every three years or when there are significant changes to departmental IT assets or risk environment
  • Review the success of your prior analysis, testing and any responses made, whether they were corrective, preventative or post-incident
  • Incorporate responses to any intervening changes (new operating system, critical applications or data, or state or federal standards)

(A copy of this template, as well as all the other templates required to complete your department’s report on the ITS-RM process, is available in Word format here and Adobe PDF format here.)

Unit Name: ___________________    Sub-Unit Name: ___________________

Evaluation and Reassessment Questions

Complete every three years or when there are significant changes to departmental IT assets or risk environment (see Table 1: Critical Asset Criteria). The process gets easier because you are building on your earlier effort. All questions refer to the time period since the last evaluation.

A. Evaluation

1. Have you adequately protected what your analysis said you should?


  

2. Has there been any loss, unavailability, corruption or inappropriate disclosure of critical IT assets or data? If so, how effective was the response?


  

B. Reassessment

1. Have you changed your operating system?

Examples: Windows to UNIX/Linux, Windows 98 to Windows XP, Mac OS to Windows


 

2. Have you changed any critical applications?

Example: Migrated compliance database from Access to SQL Server.


  

3. Are there any new critical data housed in your department?

Note: Data may be critical based on mission criticality, sensitivity or protected status.


  

4. Are there any new state or federal standards or University policies applicable to your department? If so, to which systems and/or data do they apply?


  

5. What risk mitigation that you could not afford previously can you now afford, or – due to increased risk in that area – you can no longer afford not to mitigate?


  

6. Are there any new technologies allowing for easier and/or cheaper mitigation for certain risks?


  

7. Has there been an increase or decrease in the number of servers or systems?


  

8. What interim risk mitigation measures have been put in place for new systems?


  

9. Are there any systems that are no longer mission-critical? If so, are there risk mitigation efforts that can be discontinued?


  

10. What functions have been moved to central servers, so that you no longer have risk management responsibility for them?


  

11. What functions have been moved to local servers, so that you now have risk management responsibility for them?


  

12. What new functions has your department taken on in pursuit of its mission? Are any IT-asset-dependent?


  

13. What old functions have become IT-asset-dependent?


  

14. What relevant personnel turnover, additions or subtractions, or role changes have occurred?


  

15. Do you have any long-term backups (archives) that need to be refreshed on new media (or destroyed)?


  

Prepared by: Administrative contact

Name:   __________________________
Signature:   _______________________
Title:   __________________________
Date:   __________________________

Prepared by: Technical contact

Name:_________________________
Signature:______________________
Title: __________________________
Date: __________________________

Approved by: Unit head

  Name: _________________________       Signature: ______________________
  Title: __________________________       Date: __________________________

© 2008 by the Rector and Visitors of the University of Virginia.

The information contained on the University of Virginia’s Department of Information Technology and Communication (ITC) website is provided as a public service with the understanding that ITC makes no representations or warranties, either expressed or implied, concerning the accuracy, completeness, reliability or suitability of the information, including warrantees of title, non-infringement of copyright or patent rights of others. These pages are expected to represent the University of Virginia community and the State of Virginia in a professional manner in accordance with the University of Virginia’s Computing Policies.