We provide university administration, faculty, and staff with an understanding of their risk position to enable more informed decisions.
Risk assessment
Assess information risks
- Begin by identifying and prioritizing risks to your data. Identify all the data you work with according to the four data classification levels: high risk, sensitive, internal and public. More detail on these levels can be read on the Data Classification page.
- Second, consider the risks imposed by your data exposure. Are you at risk for internet hacking, stolen laptops or do regulations cover your data? Use this risk level assessment to assess your information risk, https://go.illinois.edu/risklevel
- Using a three-step process, all units and departments can make measurable improvements to their information security–with a corresponding measurable reduction of their information risks.
Implement the Information Security Program
- The goal of this step is to reduce or eliminate the risks identified in step one. The focus is on business risk and not on the latest available technology. The Illinois Security Standards map to risk levels for the purpose of implementing the university security program in your unit.
Verify compliance with both the Information Security Program and applicable laws and regulations
- This step assures the business owners that information risks are being managed. The university conducts assessments to evaluate current compliance and to discover where additional resources are needed.
Risk consulting
If your project will result in a purchase that will store, collect, access, create, manage, process, or transmit university data, engage us at the beginning of the project to help avoid implementation delays. University purchasing requires review of software and cloud-related purchases and contracts before buying.
If working with data also means disclosing it to third parties, such as placing university data inside a cloud vendor service, there could also be legal requirements to be met in order to place the data there. You can engage subject matter experts to help you navigate requirements. We can help you see your project to a successful conclusion.
Security reviews should be conducted annually to address potential changes in use cases, data classification, and vendor security posture. Third-party security audits that vendors can have performed also must be renewed and reviewed to be confident the vendor environment has not undergone significant changes. Fortunately, these reviews will most likely take the form of updates rather than starting from scratch.
Begin the engagement as early as possible by completing the Lightweight Risk Assessment at https://go.illinois.edu/vendorrisk.
We provide university administration, faculty, and staff with an understanding of their position to enable more informed decisions. Ultimately, final decisions as to risk and risk acceptance are up to authorized university leadership.
Reach out to digitalrisk@illinois.edu for help with any assessments or reports.
Risk acceptance vs. risk assignment
Risk assignment is based on the concept that all university units already own all of the risk contained in all of their business processes. This differs from risk acceptance in that the risk has already been assigned to the unit, regardless of whether anyone in the unit has officially signed off on and agreed to accept the risk of those processes. We work with customers and university decision-makers to mitigate risk into one of the predefined acceptable risk categories (moderate, low, very low).
Assigned risk is owned risk
In practice the university may bill the costs of a negative security event or incident event to the unit itself. The unit may receive a bill from the university that begins in the thousands of dollars for a relatively small security compromise with no data breach involved and goes up from there. It is vitally important that units understand they already own all that risk.
Levels of risk
Acceptable risk
- Some risk is considered by the university to be “Acceptable Risk”. Business processes that are compliant with all university standards and legal/regulatory requirements are considered by the university to be acceptable risk and no risk action is necessary.
- If unit processes are non-compliant, the university Enterprise Risk Management (ERM) office standards dictate the type of response that must be taken to protect the university from that risk. See https://www.vpaa.uillinois.edu/enterprise_risk_management/resources_and_tools/.
High risk (sensitive data, or public/internal data in a highly critical business process)
- Requires priority allocation of resources for management and/or mitigation; establish plans and countermeasures.
Very high risk (high risk data, or sensitive data in a highly critical business process)
- Requires essential and immediate allocation and organization of resources to manage/mitigate the risk; establish plans and countermeasures