Skip to Knowledge Base content

2018 OIT Risk Assessment Plan

A Risk Assessment Plan is a controlling document that incorporates the goals, strategies, and methods for performing IT risk management for the organization.

This document identifies potential risks related to IT used by BYU-Hawaii, the likelihood and impact of those risks, and how we prioritize our work to mitigate those risks.


Our 2016 OIT audit noted the following:

IT policies, together with detailed standards defining how to follow the broader IT security policy, have not been established. These policies should address areas of risk identified in the formal IT Risk Assessment. Some examples of these needed policies and standards (as identified in the initial risk assessment conducted by the BYU-Hawaii IT operations) include:

  • Guidelines for granting user permissions to sensitive systems (such as Peoplesoft)
  • Data retention definitions for various system and database backups
  • Security monitoring guidelines
  • Change management guidelines
  • Incident management guidelines

Our Management Action Plan was this:

Last year, [BYUH OIT] performed a risk assessment to identify and prioritize IT risks. We recognize that we are at the beginning of an ongoing assessment process. As this process matures, the related IT policies and standards will mature as well.

This year (2017), the OIT directors will do another formal risk assessment and will develop corresponding policies and detailed standards to address the risks that are identified. These new policies and detailed standards will be formally documented and approved. They will then be tracked in the TeamDynamix Knowledge Base IT Governance section.

We also planned out for the next 5 years what we'd be working on.


For 2018, we have updated the risk assessment with what we accomplished in 2017, and what we are planning to do this year. This document summarizes our work during the year, and is the baseline for our 2018 work on assessing and mitigating risks. See attachment.

NOTE: With the CES decision to consolidate a Security Operations Center (SOC), we have many things in flux as we identify architecture, processes, and tools that will help us. The plan for the next two years could dramatically change as we look at what we can accomplish.


Article ID: 23295
Thu 1/19/17 4:57 PM
Tue 5/8/18 4:38 PM

Files (4)