Departmental Management and Final Decisions
In many cases, proposed solutions will be straightforward and easily implemented. However, for other solutions the decision of what to do and when to do it will be much more difficult. It is strongly suggested that the assessment team involve departmental managers in the process as much as possible, especially in cases where proposed solutions are not part of the established budget, and funds must be procured or redirected to allow full implementation.
If more than one solution exists, departmental managers will need to find the economic balance between the impact of each risk and the cost of the solutions intended to manage it. Depending on the proposed solutions and the funds available, the ‘best’ solution may not be the one that can actually be implemented.
Departments are encouraged to include any additional material they feel is important to make the risk assessment complete. In the template, the General Comments section is provided for this purpose. It can be used to identify special situations, or highlight any unique departmental characteristics that may impact the ITRA.
IT Risk Assessment Reporting
Using the ITRA Template provided, each departmental risk assessment team is expected to complete a report that can be easily shared with all parties involved in the process. This report should be maintained within the department. In addition, a copy of the completed ITRA report should be sent to Virginia Tech’s IT Security Office (ITSO). IT Risk Assessments must be reviewed and updated on an annual basis. The only valid ITRA is one that is current with regard to the technology assets present in the department. ITSO will maintain a centralized digital archive of ITRA reports for each department and unit at Virginia Tech. Reports can be sent as an attachment (pdf format is preferred) to firstname.lastname@example.org.
David Raymond – 231-3809