Here is an example of what is at risk without an up to date risk assessment: 
Idaho State U. Will Pay $400,000 to Settle Medical-Records Case

The Information Technology risk assessment and analysis process identifies departmental mission critical business functions, services and data, as well as the information technology related assets required to support them.  By focusing on the applications and data which are critical to your organizations business processes first, you can ensure appropriate risk and security considerations are in place no matter what technology is interacted with.

There are numerous methodologies for conducting an IT risk assessment.  What methodology to use and how through and itemized an assessment should be depends greatly on the size and complexity of an organization’s IT environment?  This page provides alternative templates and informational materials that can help you understand the importance of conducting an IT risk assessment.

No matter what methodology you use, the presence of the following three high-level processes is constant in most IT risk assessment methodologies.

  • Evaluation and assessment: to identify assets, evaluate their properties and characteristics and prioritize. This is sometimes called a business impact analysis.
  • Risk assessment:  to consider and recognize threats and vulnerabilities that pose risk to the critical identified in the evaluation and assessment process. 
  • Risk mitigation;  to address high impact risk by transferring, or sharing, eliminating or accepting the risk to critical assets. 

Done well and used correctly, an IT risk assessment can be an invaluable tool for justifying future security investments and a mechanism to help influence management’s support and commitment to allocating additional budget for security resources.  Most importantly, properly conducted departmental IT risk assessments are key to understanding and establishing university resilience.

Because there are numerous methodologies for conducting an IT risk assessment, below are some additional informational resources for consideration. These resources will change periodically as other ITRA templates, tools, and articles etc., are discovered. We welcome suggestions for additional resources as well. Please use the contact information at the bottom of the page to make suggestions or comments.

IT Risk Assessment Training

On-site training for completing your department’s IT Risk Assessment is available at your convenience. Please contact to request the training and we will work with your schedule to set it up.


Contact us:
David Raymond – 231-3809