No one’s immune to a data breach—but just how vulnerable are you?
When it comes to information security, taking a hard look at your institutional risk may not be easy. But it’s a critical step toward keeping your campus safe.
So what does a risk assessment even look like? What and who are involved? And what are the end goals?
Here are some best practices to help you get started.
While IT may lead the charge, your assessment will only have the necessary weight and impact if you engage a range of stakeholders. That’s because, in addition to technology, people and processes are significant risk factors.
Create a sense of urgency without creating a sense of panic, use non-technical talk that everyone can understand, and don’t promise things that can’t be delivered.
1 Executives.
Institutional leaders must set the tone that security involves everyone, and that it’s okay to have a frank and honest discussion about possible weaknesses. Executive buy-in will also be crucial once the assessment is complete and you need to garner adequate resources to address vulnerabilities.
2 Department heads.
In addition to providing access to systems and data, department heads must share ownership for any risks identified. That could mean overseeing changes to address threats—or, if that’s not possible, assuming and planning for an acceptable level of risk.
3 Finance, HR, and legal.
Because you’ll be assessing policies and procedures that govern the use of personal and financial data across all departments, having representatives from finance, HR, and legal involved at every stage is a must.
4 External auditors.
If you have the resources, you may consider hiring an external company to assess or audit your security risk. In addition to identifying technical vulnerabilities, expert auditors can also evaluate your risk of non-compliance with specific data privacy or usage guidelines. Since the latter can result in heavy fines or reputational damage, the investment may be worth it.
5 Vendors and partners.
If there are third parties sharing or storing your data, their vulnerabilities might as well be your own.
There are many methodologies for conducting a risk assessment. Some are open source, some are proprietary, but all aim to answer the same basic questions:
A good starting place for colleges and universities is the HECVAT, a questionnaire framework that was created for higher education to measure vendor risk. Over 100 colleges and universities and 30 solution providers and universities use the HECVAT to reduce risk.
Regardless of which methodology you choose, know that the assessment may force your institution to make some hard choices. That’s because the activities you identify as necessary to mitigate risk may cost time or money you don’t have. It then becomes important to prioritize.
Not every threat is equally likely to occur, nor will they all have the same level of impact on the institution. If you have limited resources or are creating a timeline, it can help to locate threats on a map of likelihood vs. impact so you can begin to prioritize.
The map to the right shows what this might look like for a sample institution. In the upper right- hand corner, the blue zone, the institution has listed “credentials for privileged accounts being shared too broadly”—which is highly likely to cause significant impact. Maybe administrator passwords are being shared among multiple users, or they’re being left unchanged when new staff replace old. Regardless, inadequate control over access and identity rights is a threat the institution must address immediately.
Closer to the center, in the turquoise zone, the institution has listed “No due diligence process for third-party vendors.” Because there is no known imminent threat, the priority may be slightly lower. But, if the institution’s data were to be compromised due to a partner’s data breach, the impact would still be high.
So any delay in addressing this threat implies an acceptance of risk. A map like this helps institutional leaders understand the tradeoffs, so they can have meaningful discussions about their tolerance for risk, allocation of resources, and financial, reputational, and operational impacts.
Because there are so many factors that impact security—not the least of which is rapidly evolving threats—it’s not enough to conduct a single assessment.
Choose a schedule for regularly updating your assessment, whether annual, quarterly, etc. Internal self-assessments should be relatively frequent, while external auditors might be scheduled less often or for specific purposes.
It’s also a good idea to engage regularly with peers and industry workgroups. Staying on top of the latest threats, mitigation techniques, technologies, and best practices is often too much for one institution. Attend cybersecurity events and pay attention to what’s happening in other fields, such as government or healthcare.
When it comes to vigilance and continuous learning, you can’t do too much.
Once you’ve conducted a thorough risk assessment and set institutional priorities, the next step is to create an effective information security plan—including everything from technology to incident response to education.
