There are five basic steps in Virginia Tech’s IT risk assessment process. This section will describe in more detail what action needs to be taken for each step. Results from each step should be entered into the template, and then reviewed by department managers. On an annual basis, the report should also be submitted to Virginia Tech’s Office of Converged Technologies for Security, Safety and Resilience. Instructions for submitting your completed report are given at the end of these instructions.
Step 1 and Step 2 of this process comprise what is sometimes referred to as a Business Impact Analysis, or Mission Impact Analysis. In the event of an audit, federal, state, or university auditors may use that terminology when referring to your finished ITRA report.
Mission impact analysis requires the input of both the administrative leaders and information technology experts in each department. Management is encouraged to select an assessment team from departmental personnel to be responsible for assuring that risks are reviewed and addressed, updates are made, and that a process is in place within the department to perform the complete IT risk assessment on an annual basis.
Step 1: Identify Technology Assets – Use the ITRA Template (DOCX | 84KB) (Step 1: Mission Impact Analysis) to document your department’s mission critical information technology assets. The output of this effort will be a list of technology assets that can then be prioritized as described in Step 2.
Technology assets, in the context of this process, are defined as any personnel, hardware, software, data, systems, services, and related technology assets that are important to the mission of the department.
In completing step one and step two, the main thing to consider is “What might be the impact if the office were to lose access to this technology resource for more than a week?” This portion of the ITRA should also be used to briefly describe the specific business functions, personnel, processes, research, or extension environments that exist within the department, in terms of their use of technology resources.
In some cases it may be appropriate to combine assets (for example, all workstations for faculty, all networked printers, all copiers, etc.) while in other cases, specific assets should be listed singly (for example, special use servers, BANNER accounting machine, student labs, or a specific instructional software package).
It may also be appropriate to identify personnel that have responsibility over specific assets (for example, a researcher responsible for specific lab equipment, or a person who is exclusively relied upon to maintain or operate hardware and/or equipment).
Step 2: Review and Prioritize the Assets – The next step is to select criteria that can be used to prioritize the list of technology assets generated in Step 1, classifying each asset as mission critical, essential, or normal.
- Mission Critical – Mission critical assets are those assets that are highly sensitive with respect to confidentiality, integrity, and/or availability, or which, if compromised, could pose a risk to life, health, and/or safety. Lastly, an asset could be classified as mission critical if it is subject to legislative, regulatory, and/or contractual compliance requirements; or is involved in restricted research activities (as classified under the International Traffic in Arms Regulations, ITAR).
- Essential – The department could work around the loss of this information asset for several days or perhaps a week, but eventually the technology asset would have to be restored to a useable status.
- Normal – The department as a whole can operate without this information asset for an extended (though perhaps finite) period of time, during which particular units or individuals may be inconvenienced and/or need to identify alternatives.
Table 1 (available below) provides additional guidance on what defines a critical asset. Considerations could include criticality of asset, impact of asset, costs of failure, potential for negative publicity, and legal and ethical issues. It is important that the assessment team agrees upon and establishes a common understanding of the criteria.
|Critical Asset Description||Example|
|The asset performs a function that safeguards the life or health of members of the university community or the general public.||Computing and telecommunications resources for Police/EMS dispatchers|
|The asset is required to perform a function related to public safety for university community members or the general public.||Networked laboratory equipment that performs assays on pathogenic bacteria|
|The asset is required to support patient care services. Without the asset, patient care services would be severely impacted.||Computerized patient records at Schiffert Health Center|
|The asset is required to support instruction in such a way that instruction could not continue without it.||Scholar, servers for distance learning courses (IDDL)|
|The asset is required to support research grants, and the requirements of those grants could not be met without the asset.||Cayuse processing at OSP, unique laboratory equipment with a computer interface|
|The asset is required to provide central University business and support functions.||Registrar, bursar, controller, banner, Hokie Mart|
|The asset is required to provide services on which multiple University departments or other institutions or agencies depend.||Centralized GIS data hosting through VT-GIS, web hosting through computing.vt.edu|
|The asset concerns data which is highly sensitive or in other ways access restricted.||Databases of personnel records, medical records.|
Using these criteria as a guide, the team will determine the best way to classify the listed assets. The number of technology assets in any priority group will vary, but classifying them becomes more difficult as their total number becomes larger. A good target number for the initial "critical" assets is probably a dozen or so. Fewer is fine. Twenty is probably too many. The remaining assets should then be discussed and identified as either “essential” or “normal”. This exercise will produce a prioritized list of departmental assets that will be used throughout the rest of this process.