2022 OIT Risk Assessment Plan

A Risk Assessment Plan is a controlling document that incorporates the goals, strategies, and methods for performing IT risk management for the organization.

This document identifies potential risks related to IT used by BYU-Hawaii, the likelihood and impact of those risks, and how we prioritize our work to mitigate those risks.


We continue to work with the CES SOC to create the risk assessment tool.


With the SOC up and running well, we are now working with them to identify a common risk assessment tool that each campus can use to evaluate our risks using the same methodology. We are working to create the risk assessment tool.


With the SOC up and running well, we are now working with them to identify a common risk assessment tool that each campus can use to evaluate our risks using the same methodology. Once we choose a tool, OIT will evaluate and identify the risks to work on. In the meantime, here is our list of what we're working on this year:

  • Monitor and promptly respond to patch releases, security bulletins, and vulnerability reports. Done. We have worked with the CES SOC to stay apprised of any notices.
  • Vulnerability management strategy in place. Done. We work with the CES CISO to identify and coordinate response to CES-wide vulnerabilities.
  • Independent security reviews at planned intervals. 9/30/2020. We have decided to wait on this a bit and standardize this with the rest of the CES SOC.
  • Independent security reviews when significant environment changes occur. Done. SOC supported.


Our SOC is now up and running, and we are starting to get the procedures in place for when we have incidents. Many things in 2018 were accomplished, and some things already for 2019. Here's our list of what we're working on this year:

  • We assess the security controls of contracted services with external entities (third parties) before granting access to sensitive institutional information assets. 11/30/19
  • 2018--Encryption standard. 6/30/19
  • 2018--Change management for configuration. 6/30/19


For 2018, we have updated the risk assessment with what we accomplished in 2017, and what we are planning to do this year. This document summarizes our work during the year, and is the baseline for our 2018 work on assessing and mitigating risks. See attachment.

NOTE: With the CES decision to consolidate a Security Operations Center (SOC), we have many things in flux as we identify architecture, processes, and tools that will help us. The plan for the next two years could dramatically change as we look at what we can accomplish.


Our 2016 OIT audit noted the following:

IT policies, together with detailed standards defining how to follow the broader IT security policy, have not been established. These policies should address areas of risk identified in the formal IT Risk Assessment. Some examples of these needed policies and standards (as identified in the initial risk assessment conducted by the BYU-Hawaii IT operations) include:

  • Guidelines for granting user permissions to sensitive systems (such as Peoplesoft)
  • Data retention definitions for various system and database backups
  • Security monitoring guidelines
  • Change management guidelines
  • Incident management guidelines

Our Management Action Plan was this:

Last year, [BYUH OIT] performed a risk assessment to identify and prioritize IT risks. We recognize that we are at the beginning of an ongoing assessment process. As this process matures, the related IT policies and standards will mature as well.

This year (2017), the OIT directors will do another formal risk assessment and will develop corresponding policies and detailed standards to address the risks that are identified. These new policies and detailed standards will be formally documented and approved. They will then be tracked in the TeamDynamix Knowledge Base IT Governance section.

We also planned out for the next 5 years what we'd be working on.


Article ID: 23295
Thu 1/19/17 4:57 PM
Tue 10/11/22 8:47 AM

Related Articles (1)

This document summarizes the BYU Hawaii'’s (the “Institution’s”) comprehensive written information security program (the “Program”) mandated by the Federal Trade Commission’s Safeguards Rule and the Gramm – Leach – Bliley Act (“GLBA”).