A vital step in the IT risk assessment process is to review possible information technology risks and determine the likelihood and potential impact those risks would have on each of your critical assets. The list below contains common IT security risks that must be considered for every critical asset identified in Step 2. If a risk does not apply to a particular asset, simply leave the rating column next to that risk (in Step 3 of your ITRA template) blank. Many of the definitions below include questions that may help you consider the scope of a particular risk. If you have identified other risks that are not covered on this list, please add lines to your tables in Step 3, and list those risks along with their definitions. The risks listed below are covered in various university policies and standards. For more information on these policies, go to:

http://security.vt.edu/policies/usp.html

Potential Risk Definition / Additional information
Lax or Dated System Administration Practices System administration practices vary, but common best practices should include: periodic security audits, adequate backups for up-to-date recovery, secure system configurations and management procedures, documented and tested security settings, and up-to-date training. Failure to keep computers (hardware and software) up to date with current operating system patch levels, antivirus software, and firewalls puts the entire enterprise at risk. Are appropriate application software updates and security patches being applied in a timely manner to devices on which University-related data reside? Are procedures in place to review and test business critical applications for adverse impacts on organizational operations or security after the installation of service packs, patches, hot fixes, etc.? See policies 7000 and 7010.
Inadequate Desktop Access Control Management Access control monitoring includes recording / reviewing system logs for user activities, exceptions, security events, and periodic review of which users have access rights. Are user access rights reviewed at regular intervals? Have formal user registration and de-registration procedures been documented? Do departmental desktop computers comply with University Policy 7010?
Lax Operational Policies Operational policies should be in line with VT security policies, with provision of adequate system administration support. Are change controls and configuration management for production system modifications in place? Are there any fiscal constraints that hinder the department's ability to enforce security policies? Is there an up-to-date inventory of all departmental technology assets and software? Refer to policies 7000 and 7010.
Key Person Dependency Relying on one person to maintain critical services can severely compromise day-to-day operations if problems occur. Having the necessary support structure with backup personnel is important. A lack of sufficient, properly trained personnel to support departmental hardware, software and/or services can compromise mission objectives. Refer to policy 7010.
Lack of Strong Passwords Passwords are the first line of defense against interactive attacks. Protecting information systems and data often comes down to using strong passwords. Does your unit enforce automatic password change management or automatic expiration of passwords, as well as password complexity and reuse rules? Visit http://www.awareness.security.vt.edu/passwords/index.html to review current university password rules. Relevant policy includes 7000, 7010.
Inadequate Safeguards on Sensitive Data Sensitive university information includes any information that could cause physical, financial, or reputational harm to the university or to members of the university community if released inappropriately. Under University Policy 7100, data elements classified as limited-access are considered sensitive information. Detailed audit logging for access to nonpublic data and special authentication for sensitive data should be in place. Is all sensitive data encrypted in place and in transport? Is access to sensitive data restricted? Does your department know how to report security breaches? Does your department use Identity Finder or other similar software to scan workstations? Relevant policies also include 7025 and 7105. 
Inadequate Access Control Access control includes the mechanisms used to ensure that resources and services are granted to only those users who are entitled to them. Examples of access controls include passwords, permissions, personal firewalls, rule sets, biometrics, keys, and smart tokens. Access control provides selective restriction of access to a place or other resources, such as computers, routers, switches, etc. Does your department change all default User IDs and passwords on networked devices; including printers, scanners etc.? Does your department encrypt all administrative access to mission critical assets? Do you log all access to computers and system configuration changes? Are mission critical systems housed in a secure location with access restricted to authorized personnel only? Relevant policy includes 7000, 7010, and 7025.
Inadvertent Data Exposure or Loss Data exposure or loss prevention controls are based on policy, and include classifying sensitive data, discovering that data across an enterprise, enforcing controls, and reporting and auditing to ensure policy compliance. Does your department periodically scan computing devices for sensitive data such as social security numbers, credit cards, birth dates, personal addresses, and Personally Identifiable Information (PII), using Identity Finder or other similar software? Relevant policy includes 7025, 7030, 7040, 7100, and 7105.

Inappropriate Use of Clear Text

Clear text is unencrypted text, and the security implications of sending sensitive data in clear text could be significant. Is confidential, personal, or sensitive data encrypted during transmission and at rest? Are the associated encryption keys properly protected? Is clear text transmission of sensitive data prohibited? Relevant policy includes 7105.

Lack of Adequate Physical Security

The two major objectives of physical security are personnel safety and access control. Are there physical entry controls in place to allow only authorized personnel access to critical assets? Are areas that house critical assets (computers, servers, switches, file cabinets, safes) locked or lockable? Are delivery or loading areas monitored to avoid unauthorized access? Are departmental backups stored in a remote location? Does your department maintain a current inventory of IT assets, including associated operating systems and software, as outlined in step 1 of the IT Risk Assessment? Relevant policy includes 7010, 7025.
Natural Disaster Floods, lightning, tornadoes, and high winds can result in fire, power outages, and other disruptions that can disrupt business operations. Are uninterruptible power supplies (UPS) with surge protection used on all powered critical assets - servers and other important hardware, including desktop machines? Relevant policy includes 7010.
Loss of Network Connectivity; Man-made Disaster, Construction, Contamination Losing access to departmental technology assets, services, and critical data due to network, equipment or power failures, structural problems, biological or chemical contamination, human error, and theft can disrupt or destroy equipment, curtail services, and limit your department's ability to execute the day-to-day business operations required to perform its organizational mission. Does the department have an up-to-date continuity of operations (COOP) plan? Relevant policy includes 7010.
Hardware Failure / Service Loss Loss of service due to hardware failure or loss can disrupt the delivery of critical services. Does your department maintain a current inventory of IT assets, with associated operating systems and software? Does your department maintain adequate backups for an up-to-date data recovery? Relevant policy includes 7025.
Malware Malware is the short form for "Malicious Software." It implies any software instructions that were developed with the intention to cause harm. Some common examples of malware are worms, exploit code, and Trojan horses. Are there prevention and recovery controls in place to protect against malware? Have appropriate user awareness procedures been implemented? Relevant policy includes 7000 and 7010.
Social Engineering / Phishing Social engineering / phishing involves the use of trickery and/or manipulation to gain access to information by persuading users to divulge sensitive or confidential information or to take some action. Social engineering / phishing attacks often use a combination of methods, including email or telephone calls to gain small amounts of information from a large number of people for malicious purposes. Has your department utilized the "Securing the Human" online awareness training offered by the Virginia Tech Information Security Office, or provided another form of awareness training for staff? Relevant policy includes 7000 and 7010.

Insecure Vendor- or 
Custom-Developed Software

The widespread growth and adoption of third-party application software comes with increased security risks. If your department depends upon third-party vendor software, or custom-developed applications, it is critical to ensure that Virginia Tech’s privacy requirements (enumerated in policy 7025, section 3.2) are satisfied. The IT Security office performs application security reviews for commercial (and homegrown applications) in use at Virginia Tech. Do you have the necessary vendor contact information for your hardware and software? Relevant policy includes 7000, 7025, and 7030. 
Spoofing / Forgery Spoofing is an attempt by unauthorized users to gain access to a system by posing as an authorized user. Spoofing involves passing fraudulent information for some malicious goal and can be implemented in numerous ways. For instance; IP spoofing is used to gain unauthorized access to a computer by supplying a false IP address. Web spoofing is an attack that redirects a user to a false version of a site. Does your department utilize firewalls? Relevant policy includes 7000 and 7010.
Lack of Funds Does your department have sufficient funding to secure hardware and software at acceptable levels or to replace vulnerable, obsolete equipment when necessary? Relevant policy includes 7010.
Outdated Continuity of Operations Plan A continuity of operations plan (COOP) is a departmental plan for the restoration of critical resources identified in a Business Impact Analysis. All units, departments, and divisions of the University that serve a critical role or maintain an essential function are required to participate in COOP planning. Your department's COOP plan should be updated whenever you update your Risk Assessment. Is this mission critical asset included in your department’s COOP? If you require assistance with the development or revision of your Continuity of Operations Plan (COOP), please contact the Office of Emergency Management (1-2438), or visit http://www.emergency.vt.edu/programs/plans/COOPs.html   
Service level agreement A Service Level Agreement (SLA) documents the level of service expected of a service provider to the customer. A SLA provides a common understanding of expectations about services, priorities, responsibilities, guarantees, and warranties. Does your department have a SLA with external vendors that support critical services?
Inadequate Maintenance Windows Coordinating downtime for maintenance of this asset has become difficult. Delayed maintenance can result in various exposures to vulnerabilities.
Lack of true 24/7 availability This asset lacks system/service redundancy capabilities which would allow for true 27x4 availability regardless of maintenance schedules or system component failure.

Another set of risks that can be referenced for the assessment is the one provided by the SANS Institute. The SANS/FBI Tope 20 vulnerabilities are prepared and updated regularly to reflect those risks that have a high probability of occurring and could result in the loss of a critical service or data. This list can be found at the following location:

http://www.sans.org/top20