IT Risk Assessment

Tasks list

The IT Risk Assessment process is a university-wide review conducted yearly within a 3-year cycle. This university review is aligned to the National Institute of Standards and Technology (NIST) Cybersecurity Framework engages approximately 34 ASU departments to inform leading security and privacy metrics to identify and inform the strategic security focus to be addressed through an engaged and continuous improvement process within the coming year. 

2022 IT Risk Review Checklist

  1. IT Alignment: Leverage enterprise technology resources
    • Review security policies, standards and procedures
    • Periodically review your IT Exec Dashboard meeting university goals and setting internal goals for areas of risk. 
    • Confirm high & medium criticality list for your unit. You can also access up to the minute inventory
  2. Awareness & Training: Track and drive 100% Information Security Awareness Training course completion for all of your users, especially privileged users, through the Training Compliance Dashboard
    • Drive 100% security training completion across all relevant training programs including; InfoSec, FERPA, HIPAA, Developer Training and others
  3. Protective Technology
    • Review your department needs for removable devices that carry sensitive data or large data sets. See mobile guidance or contact the Information Security Office
  4. Event Detection: Collaborate with Enterprise Technology to:
    • Drive 100% enterprise logging system coverage for in-scope departmental systems. See Logging Best Practices and systems logs added to Splunk
    • Review existing system alert thresholds and define net new alerts for any gaps identified
    • Email to consult and coordinate with the Security Operations Center
  5. Recovery Planning: Ensure your ASU Ready recovery plans are reviewed annually and updated for continued relevance, even if an incident does not occur
    • Periodically review, test and update your Continuity of Operations (COOP) Plan in ASU Ready.
    • For systems identified as critical, ensure they are included on the High and Medium criticality list
  6. Privacy
    • Review third-party contracts annually to ensure alignment with University privacy, retention, and data destruction requirements defined in the Third-party Guidlines
    • Leverage ServiceNow(CMDB) for automating a centralized inventory of privacy-related information
    • Review ASU policies and standards annually to ensure continued regulatory compliance
    • Embed privacy by design in your unit’s culture and upcoming initiatives. See the Privacy at ASU website or contact