IT Risk Assessments

The ITSO has partnered with Salty Cloud and is now using Isora GRC, a cloud-hosted risk management tool developed for higher education institutions, to complete departmental IT Risk Assessments. ITRAs should be completed every three years unless new systems/services have been implemented or your department must meet additional compliance requirements (e.g., GLBA), in which case annual assessments may be required.

The departmental IT Risk Assessment process in Isora GRC is comprised of three main steps:

  1. Asset inventory – Inventory of all hosts managed by the department, including endpoints & servers (physical, virtual, cloud), network devices, multi-function printers/scanners, as well as any IoT or special-purpose computing devices.

  2. Asset classification – Classifying each asset/host based on its importance (priority) to the unit (critical, essential, non-essential) and its risk level according to the VT Minimum Security Standards (high, med, low).

  3. Security controls assessment – Completing a questionnaire based on the CIS Critical Security Controls v8 and the VT Minimum Security Standards.

Once complete, the output of the assessment is a report that includes an assessment score, data categorization and distribution mapping, and a risk map based on the weighted responses provided in the security controls assessment questionnaire. The risk map will provide departments visibility on their posture in control areas and will help guide efforts for measured improvement in compliance and risk management.

IT Risk Assessment Procedure

IT Risk Assessment Documentation

Isora GRC Assessment Guide (PDF)

Related Documentation

Minimum Security Standards

Standard for High-Risk Digital Data Protection

Virginia Tech Risk Classifications