Skip to Knowledge Base content

OIT Risk Assessment Plan

A Risk Assessment Plan is a controlling document that incorporates the goals, strategies, and methods for performing IT risk management for the organization.

This document identifies potential risks related to IT used by BYU-Hawaii, the likelihood and impact of those risks, and how we prioritize our work to mitigate those risks.

Our 2016 OIT audit noted the following:

IT policies, together with detailed standards defining how to follow the broader IT security policy, have not been established. These policies should address areas of risk identified in the formal IT Risk Assessment. Some examples of these needed policies and standards (as identified in the initial risk assessment conducted by the BYU-Hawaii IT operations) include:

  • Guidelines for granting user permissions to sensitive systems (such as Peoplesoft)
  • Data retention definitions for various system and database backups
  • Security monitoring guidelines
  • Change management guidelines
  • Incident management guidelines

Our Management Action Plan was this:

Last year, [BYUH OIT] performed a risk assessment to identify and prioritize IT risks. We recognize that we are at the beginning of an ongoing assessment process. As this process matures, the related IT policies and standards will mature as well.

This year, the OIT directors will do another formal risk assessment and will develop corresponding policies and detailed standards to address the risks that are identified. These new policies and detailed standards will be formally documented and approved. They will then be tracked in the TeamDynamix Knowledge Base IT Governance section.

This document summarizes our work during the year, and is the baseline for our 2017 work on assessing and mitigating risks. See attachments.

Details

Article ID: 23295
Created
Thu 1/19/17 4:57 PM
Modified
Wed 9/6/17 11:34 AM

Files (2)

xlsx

OIT Risk Assessment brainstorm.xlsx

1/19/2017 4:58:38 PM 
xlsx

Risks by priority.xlsx

9/6/2017 11:35:04 AM