Virginia Tech® home

IT Risk Assessments

Key IT Risk Assessment Program Principles:

  1. Security is a shared responsibility and everyone has a role to play;
  2. In continuous risk management, risk assessment is key;
  3. Units have responsibility in managing their own information security risk; and
  4. “Risk” and “Priority” classifications primarily inform risk level and security controls.

Standards

VT IT Risk Assessment Standard – Covers inventory, classification and risk assessment of VT-owned technology resources and internally developed software applications. Also covers the risk model, risk analysis methodology, risk ownership/acceptance, risk treatment, and university departmental/org unit responsibilities for recurring IT risk assessment.

VT IT Vendor Risk Assessment Standard – Covers requirements for ITSO security evaluation/assessment of third-party service providers/vendors handling university data; including the identification and analysis of security risks, risk ownership/acceptance, risk treatment, and requirements for periodic reassessment of service providers with specific compliance objectives.

IT Risk Assessment Documentation

Isora GRC Assessment Guide (PDF)

Related Resources

Updating Hosts Inventory in Isora GRC

Updating Application Inventory in Isora GRC

IT Risk Assessment Metrics

Minimum Security Standards v4.0

Standard for High-Risk Digital Data Protection

Virginia Tech Risk Classifications

Definitions

  • Applications - Software programs, code, or packages that perform specific functions directly for end users or for other applications. Applications can be “self-contained” or groups of programs and may or may not be network accessible. Applications can be developed and maintained “in-house” by VT units or provided by a 3rd party service provider.
  • End Points - Desktops, laptops or mobile devices.
  • Network Infrastructure - Devices that transport communications needed for data, devices, applications, services, and multi-media. This includes devices such as routers, switches, load-balancers, wireless access points, firewalls, intrusion detection/prevention systems, and other security or special purpose appliances.
  • Servers - Hosts that provide network-accessible services. Servers can be physical or virtual machines and may be hosted on-premise or with a cloud service provider (CSP).