IT Risk Assessment: Two Universities Share Their Methodologies (175075067)

7/27/2019 IT Risk Assessment: Two Universities Share Their Methodologies (175075067)

http://slidepdf.com/reader/full/it-risk-assessment-two-universities-share-their-methodologies-175075067 1/58

IT Risk Assessment: TwoUniversities Share Their Methodologies

Nadine Stern Associate CIO for Operations and Planning

Paul W JeffreysDirector of IT Risk Management



Introduction



Objectives of Session:

Overview management of IT risk

Compare and contrast how Princeton and Oxford universitiesmanage IT risk

Review experiences from other universities, based on EDUCAUSEreview

Understand how risks should be managed - within an IT riskmanagement framework

Sprinkle in the EDUCAUSE top-ten IT issues to serve as referencepoint

Poll session attendees to appraise strategic risk entries

3



IT Risk Management Overview

IT risk management: identifies, assesses and responds to IT risks – … threat (should be) measured against IT objectives

Technology now permeates: L&T, research, administration – … so an IT risk is a threat to institutional objectives – … becoming increasingly important

IT risk management helps to: – Strengthen alignment between IT and institutional strategy – Identify IT priorities and connect with IT Strategic Plan – Influence capital investment – Direct resource allocation to meet users’ requirements

However, not all institutions have formal initiativesECAR 2013 IT Risk Management poll* – First plot from poll showing adoption of methodology:

Slide 4



ECAR Risk Management Poll*

Slide 5



EDUCAUSE Top 10 Issues

To help inform risk management practices at our institutions, haveused the EDUCAUSE Top 10 IT Issues (2013)* as a guide

Cross-referencing provides a worthwhile external comparison toadd assurance that an institution has identified a full set of strategic IT threats

Comparison shown later, and will be used to undertake our attendee poll to give a full strategic risk appraisal

6



Princeton and Oxford Approaches

Princeton: – Aiming to align its IT Risk Assessment with institutional Executive Risk

Assessment – Not interested in using an industry standard – Committed to input and buy-in from IT leadership and contributors

– IT Risk assessment in distributed responsibility model

Oxford: – Follows ISO31000 / M_o_R standard – Three ‘perspectives’: Strategic / Project / Operational

– Assess risks against departmental objectives as objectively as possible – Bottom-up (work shops) and top-down (senior management) – Well developed process to mitigate risks – Beginning to show benefits from programme

7



IT Risk Assessment at PrincetonUniversity

About me:VP for IT and Enrollment Services at The College of New Jersey for 15 years – About 60 IT staff; About 65 Enrollment Services staff

Associate CIO in the Office of Information Technology at Princetonsince April 2011 – 280 central OIT staff – About 150 departmental IT staff – My department: IT Security officer, Budget and Finance,

Organizational Effectiveness, technology Consulting, Contract

management, Strategic Planning, Associate CIO role



What I found at Princeton

My role includes liaison to Office of Audit andComplianceOffice of Audit and Compliance – relatively new

IT Audit functionYearly audits but no overall risk assessmentmethodologyOIT has decentralized Information Securityorganization and planning



Evolution of IT Risk Assessment

University had conducted a University Risk Assessment in 2009 – Information Security identified as one of the

Risk Areas, but not well definedOAC interested in creating their audit universe

OIT needing to have a plan aroundInformation Security initiatives – Need to develop a mechanism for yearly

updates



Risk Matrix

OAC gave first pass to create an IT Risk matrix

I organized it differently; added sections of

Policy, campus awareness and compliance,Industry Trends, Educause Top 10 Issues

Spoke to Paul Jeffreys, Oxford University



Ranking RiskIT Risk FactorsAvailability - Ensuring timely and reliable access to and use of information.

A loss of availability is the disruption of access to or use of information or an information system.Systems and critical information is available when needed in order to maintain the organization's critical operations and processes.Includes the ability to recover from losses, disruption, or corruption of data and IT services, as well as from a major disaster where theinformation was located.

Integrity - Guarding against improper information modification or destruction, and includes enduring information non-repudiation and authenticity.A loss of integrity is the unauthorized modification or destruction of information.Data used for making management decisions, recording information, and reporting financial activity is accruate, complete, and reliable.

Confidentiality - Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.A loss of confidentiality is the unauthorized disclosure of i nformation.The right to view or manipulate data is carefully granted and monitored to prevent the mishandling of dataConfidential information must only be divulged as appropriate and must be protected from unauthorized disclosure or interception.

Compliance - Compliance with regulations, contracts, and policies and procedures

Likelihood Scale3 High probability that identified risk will occur.2 Medium probability that identified risk will occur.1 Low probability that identified risk will occur.

Impact Scale3 Potential significant impact to the University's mission, stewardship of assets, reputation, or stakeholders.2 Potential significant impact to the risk area but moderate to the University's mission, stewardship of assets, reputation, or stakeholders.1 Potential impact on the University is minor or limited in scope.

Financial Impact3 Potential financial impact > $XXX2 Potential f inancial impact > $YYY but less than $XXX1 Potential financial impact $ZZZ or less



IT RISK FACTORS

Likelihood Impact Likelihood Impact Likelihood Impact Likelihood Impact Likelihood ImpactIT Policy and Governance

1 University-level Policies

2 Department level Policies

3 Data Classification

4 Education and Communication

IT General Controls / "Computer Operations"5 Change and Patch Management

Change and Patch Management - Network

Change and Patch Management - Desktop / Anti-Virus

Change and Patch Management - UNIX

Change and Patch Management - Linux

Change and Patch Management - Windows

Change and Patch Management - Business

Change and Patch Management - Database

Change and Patch Management - BusinessApplications

Change and Patch Management - Hardware /Software

ComplianceAvailability IntegrityRisk Area/Universe

Confidentiality /Access

Financial Impact



IT RISK FACTORS

Likelihood Impact Likelihood Impact Likelihood Impact Likelihood Impact6 Backup, Recovery, and Retention

7NetworkUNIXLinuxWindowsDatabasesBusiness Applications

Integrity Confidentiality / Reliability Comp

Backup, Recovery, and Retention - NetworkBackup, Recovery, and Retention - UNIX

Risk Area/Universe Financial Impact Availability

Backup, Recovery, and Retention - LinuxBackup, Recovery, and Retention - WindowsBackup, Recovery, and Retention - DatabasesBackup, Recovery, and Retention - BusinessBackup, Recovery, and Retention - Desktop / Laptop

Identity and Access Management / Logical Security / Security



IT RISK FACTORS

Likelihood Impact Likelihood Impact Likelihood Impact Likelihood Impact8Security Logging and Monitoring

9

WindowsDatabasesDesktop/Laptop

Security Logging and Monitoring – DatabasesSecurity Logging and Monitoring – Business

Systems Administration/Support/MonitoringNetwork

UNIXLinux

Reliability Compliance

Security Logging and Monitoring – NetworkSecurity Logging and Monitoring - UNIXSecurity Logging and Monitoring – LinuxSecurity Logging and Monitoring – Windows

Risk Area/Universe Financial Impact Availability Integrity Confidentiality /



IT RISK FACTORS

Likelihood Impact Likelihood Impact Likelihood Impact Likelihood Impact10“Data Center Operations” –Job Scheduling

11 Configuration Management

UNIXLinuxWindowsDatabaseApplicationDesktop/Laptop

DatabaseBusiness Applications

Network

Reliability Compliance

NetworkUNIXLinux

Windows

Risk Area/Universe Financial Impact Availability Integrity Confidentiality /



IT RISK FACTORS

Likelihood Impact Likelihood Impact Likelihood Impact Likelihood

E1E2E3E4E5E6E7E8

E9E10F IPv6GH Protection/Security of Research Data

Supporting the trends toward IT consumerization and

Risk Area/Universe Financial Impact Confidentiality / Reliabil

2012 Educause Top Ten IT IssuesUpdating IT professionals' skills and roles to

Availability Integrity

Supporting the research mission through high-Establishing and implementing IT governance

Cybersecurity

Developing an institution-wide cloud strategy

Improving the institution's operational efficiencyIntegrating information technology into institutionalUsing analytics to support critical institutionalFunding information technology strategicallyTransforming the institution's business with



Business Unit interviews

University andDepartment

Policies

Education andTraining

Laws, Regulations,Compliance

Privacy,Confidentiality,

Data Classification

Specific IPPProjects

EmergingTechnologies:

Cloud computing,Social Media,

Mobility

Constituentspecific concerns(students, faculty,

staff)

MissedOpportunities

IT Risk Categories



1 st year results

Less than popular with OIT

We realized it was too granular – and did not

really reflect priority of risk which would lead tosecurity initiative selection and prioritization

Continued to seek other resources from other peer institutions, Educause



Maturation Read many articles on risk from various sources:NIST, Educause, Coursera courseGartner: good resources for assessing securityprogram, concepts of risks assessment: but notemplates

IBM: mostly around penetration testingNew CIO/VP for ITRealization that Audit will only focus on IT generalControlsDiscussions with our Internal Audit group and EVPresponsible for Enterprise Risk managementClarification that we need to use the University RiskMap to “INFORM” our yearly process



Developing Princeton’s IT Risk Map

21



Developing Princeton’s IT Risk Map

22



Next steps for Princeton

Close work with our ERMC (Executive RiskManagement Committee) effortsRefine Matrix approach – Add feedback loop from incident evaluations – Periodic updating incorporating industry

trends and University’s enterprise riskassessment process

– Creating new CISO position to focus on Risk Assessment, Security Strategy, Outreach,Business Continuity



IT Risk Assessment atUniversity of Oxford

Professor Paul W JeffreysDirector of IT Risk Management



IT Risk Management Framework

Office of Government Commerce: Management_of_Risk* – Uses International standard: ISO31000:2009

Same standard adopted by University*Definition of risk (OGC): – “An uncertain event or set of events that, should it occur, will have an effect on the

achievement of objec t ives . – A risk is measured by the combination of the probability of a perceived threat or

opportunity occurring and the magnitude of its impact on objectives .”

M_o_R Steps: – Identify key strategic risks that would prevent the achievement of objectives;

– Assign ownership; – Evaluate significance of each risk (classify); – Identify suitable responses to each risk; – Ensure internal control system manages the risk; – Regular review

Slide 25



Organizational Perspectives

Slide 26

Long-term / beyonddepartment

Medium-term / bringabout business change

Short-term / ensure on-going continuity of business services



Define Risk Syntax and Risk Register Structure

Syntax used to describe risk: – If - we do not ensure that IT Services' information assets are managed

correctly and securely - then - there is a possibility of information lossand corruption AND major security breach - resulting in a risk of -damage to reputation of department and University, possible criminal or civil proceedings, and loss or corruption of information

Risk Register (managed in SharePoint) – Risk identifier, Classification (Perspective), Risk description (using

syntax), Risk probability, Risk Impact, Risk Response, Owner, Actionees, …

Focus on Strategic perspective here…. – ‘That which not within scope of IT Services to mitigate’

Slide 27



Assessment of (Strategic) Risk

Goal: prioritize individual risks so that it is clear which risks are mostimportant for IT Services – Must measure against organizational objectives – Measure as objectively as possible

Measure using two parameters:

– Impact: estimated effect of a particular threat occurring – Probability: estimated chance of it actually occurring against the impact

specified (within the period of the activity)

Reproducibility – Requires definition of terms

– Impact measured by: reputation, timing, financial, availabilityOverall Risk Assessment – Not linear combination of impact and probability

Slide 28



1. Impact (Reputation and Outputs)

Slide 29

Strategic - Reputation & Outputs – impact of threats on image, standing and output quality

Measure Level Effect

Publicityand media

interestgenerated /effect uponrankings

Critical EITHER sustained or ongoing negative national media publicity OR anegative change across all national or international HE sector rankings

Major EITHER one-off negative national, or ongoing local, media publicity OR a negative change across the majority of national or international HEsector rankings

Moderate EITHER negative media publicity likely, but avoidable or controllablewith management OR a negative view of IT Services at Council level

Minor Negative publicity limited to within IT Services

Insignificant Negative publicity limited to within part of IT Services



2. Impact (Timing)

Slide 30

Strategic - Timing – impact of threats on slipping timescales


Escalation of complianceissues,including legalmatters

Critical EITHER delays in significant governance issues or decision-making processesexceeding 24 months OR the matter is brought to Council OR break in service formore than a week

Major EITHER delays in significant governance issues or decision-making processes of 12to 24 months OR the matter is brought to the Capital Steering Group OR break inkey service for greater than a day

Moderate EITHER delays in significant governance issues or decision-making processes of 6to- 12 months OR the matter is brought to the IT Committee OR break in key ITservice for greater than two hours

Minor EITHER delays in significant governance issues or decision-making processes of 3to- 6 months OR the matter is brought to the IT Services Executive ManagementTeam OR break in key service for greater than 15 minutes

Insignificant

EITHER delays in significant governance issues or decision-making processes of upto 3 months OR complaint limited to within IT Services’ processes OR break inservice for greater than two minutes



3. Impact (Finances and Funding)

Slide 31

Strategic - Finances & Funding – impact of threats on sustainability, funding and financial control


Financial scaleof effect

Critical Financial loss or impact exceeding £1m

Major EITHER financial loss or impact of £100k to £1m OR negative effect onfinancial controls in general

Moderate EITHER Financial loss or impact of £20k to £100k OR negative effect onfinancial controls in more than one area for up to six months OR ongoingnegative effect on financial controls in one area

Minor EITHER Financial loss or impact of £1k to £20k OR negative effect onfinancial controls in one area for up to six months

Insignificant

Financial loss or impact up to £1k and no lasting negative effect on financialcontrols



4. Impact (Availability and user Impact)

Slide 32

Strategic - Availability and User Impact – impact of threats on availability of services and userexperience


Availabilityand userexperience

Critical The majority or whole of the University is negatively affected for aperiod of longer than one month

Major The majority or whole of University, or IT Services' capability ingeneral is negatively affected for a period of up to one month

Moderate EITHER individuals or a small number of teams are affected on an on-going basis OR IT Services' capability for the University is negativelyaffected for a period of up to one day

Minor EITHER individuals or a small number of teams are affected on an on-going basis OR IT Services' capability for the University is negativelyaffected for a period of up to one day

Insignificant Individuals or single teams only are negatively affected and IT Servics'ecapability in general is not affected



Probability or Likelihood

Slide 33

• Consistent with University approach

Likelihood Frequency MonthlyProbability

Very High Very likely: is considered to have a chance of occurring every month Up to 100%

High Probable: is considered to have a chance of occurring once within the

next two months, or up to six times a year

Up to 50%

Moderate Possible: is considered to have a chance of occurring once within the next

six months, or up to twice a year

Up to 16.7%

Low Unlikely: is considered to have a chance of occurring once within the next

year, or up to twice in two years

Up to 8.3%

Very Low Exceptional: is considered to have a chance of occurring once within thenext two years

Up to 4.2%



Ask you to assess an Oxford risk…

If - we do not ensure that IT Services' information assets are managedcorrectly and securely - then - there is a possibility of information loss

and corruption AND major security breach - resulting in a risk of -damage to reputation of department and University, possible criminalor civil proceedings, and loss or corruption of information

Which type of ‘Impact’ assessment likely to have biggest impact?

Slide 34



1. Impact (Reputation and Outputs)

Slide 35

Strategic - Reputation & Outputs – impact of threats on image, standing and output quality


Publicityand mediainterest

generated /effect uponrankings

Critical EITHER sustained or ongoing negative national media publicity OR anegative change across all national or international HE sector rankings

Major EITHER one-off negative national, or ongoing local, media publicity OR a negative change across the majority of national or international HEsector rankings

Moderate EITHER negative media publicity likely, but avoidable or controllablewith management OR a negative view of IT Services at Council level

Minor Negative publicity limited to within IT Services

Insignificant Negative publicity limited to within part of IT Services



Probability of Likelihood

Slide 36

Likelihood Frequency MonthlyProbability

Very High Very likely: is considered to have a chance of occurring every month Up to 100%

High Probable: is considered to have a chance of occurring once within the

next two months, or up to six times a year

Up to 50%

Moderate Possible: is considered to have a chance of occurring once within the nextsix months, or up to twice a year

Up to 16.7%

Low Unlikely: is considered to have a chance of occurring once within the next

year, or up to twice in two years

Up to 8.3%

Very Low Exceptional: is considered to have a chance of occurring once within the

next two years

Up to 4.2%

{Critical impact * Moderate probability} = 20 classification



Oxford’s Strategic Risk Register

Creating a strategic risk register is challenging – Bottom-up (workshops) combined with top-down (senior management) – Referenced against EDUCAUSE top-ten issues – Entries becoming relatively stable (after 6 months)

Slide 37

I M P A C T

Critical 5 2

Major 4 1 8 2 2

Moderate 3 1 5

Minor 2

Insignificant 1

1 2 3 4 5

Very Low Low Moderate High Very

High

LIKELIHOOD



Strategic risk mitigation

Each risk has a ‘Response’, ‘Risk Proximity’ and ‘% complete’;actions and controls detailed for mitigation

Reviewed by IT Committee termly

Objective: get all risks to ‘amber’ or less by end of academic year

Also, process for introducing new Strategic risks

Slide 38



Oxford Summary

Risk management programme working – Reducing threat against departmental objectives – Directing priorities

Strategic risk register still being refined… – Strategic risk register entries stable

– Risk classifications reducing as a result of concerted efforts to mitigate – Will update strategic risk again after conference…

Top-down meets bottom-up meets EDUCAUSE top ten – Management of strategic risks certainly delivering benefits

Still to be connected with University of Oxford risk fullyStill to be connected with IT Strategic Plan fully

Slide 39



Princeton / OxfordComparison



Learning While Doing – Judith Pirani*

41

Princeton OxfordStrengths Institutional Outreach

• Non- IT leaders’ input solicitedfrom start

• Works closely with Audit andCompliance

• Institutional perspective• CIO member of the President’sCabinet

• CIO encouraging alignment of IT risk management withinstitutional goals

Stratified Risk ModelInclusive IT Risk IdentificationRepeatable and RelativelyObjective Risk AssessmentMethod

Process and Policies• Well-documented processes,definitions, and models

• Linkage of risk and responseprocesses

• Monitoring risk responseWeaves IT risk into IT planning

and IT governance

Weakness Initial risk assessment toogranular?

Too much formality?



ECAR Results and Live Poll



ECAR results

Most of the responses to our poll came from four year institutions (58%doctoral, 17% baccalaureate, and 15% master’s)

Has your institution adopted an IT risk management program or methodology?

43

NO No, planning toimplement

No, wouldlike guidance

No



44



EDUCAUSE Conference Poll

Identified set of top 10 strategic risks*, based on Princeton andOxford registers, and cross-referenced to the EDUCAUSE Top TenIssues (2013)*

Consider each one in turn, and ask attendees two questions:

– For those who have strategic IT risk registers in their universities dothey have a similar risk included in their own top set?

– For those who do not have strategic IT risk registers in their universitieswould it be likely that they would have a similar risk included in their own top set?

Then ask which top risks are missing?

Slide 45



Risk 1

Business Continuity: If departments delivering services inpartnership with central IT do not make adequate plans for continuation of their business processes in the event of an outageof IT or other utility services, then IT might not be able to deliver services required by the university

This could result in a risk of major academic disruption and potentialfinancial loss (e.g. Hurricane Katrina in New Orleans)

– 2013 issue #5 — Facilitating a better understanding of information

security and finding appropriate balance between infrastructure andsecurity – 2013 issue #6 — Funding information technology strategically

Slide 46



Risk 2

Emerging Technologies—

Cloud Computing, Social Media,Mobility: If students, faculty, and staff use consumer-oriented andeasily accessible technologies without appropriate consultation withcentral IT, then there could be serious information securityimplications: loss of control of university data, problematic contractissues, lack of attention to privacy concerns, etc

This could result in a risk to institutional data integrity,confidentiality, and availability, and thus a risk of institutionalfinancial obligation

– 2013 issue #1 — Leveraging the wireless and device explosion oncampus

– 2013 issue #3 — Developing an institution-wide cloud strategy to helpthe institution select the right sourcing and solution strategies

Slide 47



Risk 3

Privacy, Confidentiality, Data Classification: If departments donot understand the legal, regulatory, and university policies aroundcategories of data, then the university might suffer frominappropriate exposure of private data, resulting in a risk of lawsuits, loss of institutional intellectual property, loss of institutionalreputation, and financial penalties

– 2013 issue #5 — Facilitating a better understanding of informationsecurity and finding appropriate balance between infrastructure andsecurity

– 2013 issue #10 — Using analytics to support critical institutionaloutcomes

Slide 48



Risk 4

Inadequate Investment in IT Services: If a convincing case for adequate investment in IT cannot be made, then we might not beable to deliver projects and services required by the university,resulting in a risk of failing to provide services required to run thebusiness of the university

– 2013 issue #4 — Developing a staffing and organizational model toaccommodate the changing IT environment and facilitate openness andagility

– 2013 issue #6 — Funding information technology strategically – 2013 issue #9 — Transforming the institution's business with

information technology

Slide 49



Risk 5

Failure to Recognize and Meet User Expectations: If we fail to identify user requirements and expectations and assess the extent to which we are meetingthem, then our services might not align with the university's needs. Thismisalignment could result in a risk of customers who have lost confidence in IT, awaste of resources, damage to the IT department's reputation, and failure todeliver services required by the university

– 2013 issue #8 — Supporting the trends toward IT consumerization and bring-your-owndevice

– 2013 issue #4 — Developing a staffing and organizational model to accommodate thechanging IT environment and facilitate openness and agility

– 2013 issue #1 — Access demand: wireless and device explosion, new digital divide,

demand for institutional mobile apps – 2013 issue #2 — Improving student outcomes through an approach that leverages

technology – 2013 issue #9 — Transforming the institution's business with information technology

Slide 50



Risk 6

Failure to Address Funding Shortages over Many Years: If wedo not recognize the recurring costs of infrastructure services andresource appropriately, then there is the possibility that serviceimprovements, including essential upgrades and enhancements,will not occur in a timely fashion — or at all. As a result, we riskservice degradation or major failure and therefore compromise touniversity business operation

– 2013 issue #6 — Funding information technology strategically – 2013 issue #9 — Transforming the institution's business with

information technology

Slide 51



Risk 7

Inadequate Program and Project Coordination: If adequateproject and program controls and management strategies are not inplace, then there may be significant over-runs in budgetexpenditures or even failure to deliver, resulting in a risk of failure todeliver important programs and projects for the university

– 2013 issue #6 — Funding information technology strategically

Slide 52



Risk 8

Failure to Manage Information Assets Securely: If we do notensure that information assets are managed correctly and securely,then there is a possibility of information loss and corruption or of amajor security breach. These could result in a risk of damage to thereputation of the IT department and the university, possible criminalor civil proceedings, and loss or corruption of information

– 2013 issue #5 — Facilitating a better understanding of informationsecurity and finding appropriate balance between infrastructureopenness and security

Slide 53



Risk 9

Learning and Teaching Support Inadequately Resourced: If theenvironment used by the university to support many aspects of learning and teaching is not resourced and prioritized adequately,then the service might not be sufficiently robust or developed tosupport use, demand, and user expectations, resulting in a risk of high-profile failure or widespread dissatisfaction with tools andinability of the university to deliver high-quality teaching

– 2013 issue #2 — Improving student outcomes through an approachthat leverages technology

– 2013 issue #7 — Determining the role of online learning anddeveloping a sustainable strategy for that role

Slide 54



Risk 10

Failure to Operate Capital Investment Approvals andPrioritization: If a clearly defined project and program approvalsprocess is not followed, and a framework is not set up to define andagree on the most important capital investment areas, then projectsand programs might not be prioritized correctly or adequatelycontrolled and resourced, resulting in a risk of inappropriateallocation of resources, missed university objectives, andunnecessary expenditure and delays

– 2013 issue #6 — Funding information technology strategically

Slide 55



Summary

Any top level strategic risks not covered… ..?

Results from poll:

– For those with strategic risk registers, no of risks appearing in morethan half:

– For those without strategic risk registers, no of risks that would appear in more than half:

Slide 56



Session Summary and Conclusions

Overviewed management of IT risk

Compared and contrasted Princeton and Oxford approaches

Reviewed other universities

Understood how risks should be managed - within an IT riskmanagement framework

Compared with EDUCAUSE top ten issues

Undertaken poll to determine whether a consensus is beingreached on what should be included in a strategic risk register

Slide 57



Thank youReferences

ECAR 2013 IT Risk Management poll:http://net.educause.edu/ir/library/pdf/ECARpollAPR2013.pdf

EDUCAUSE Top 10 IT Issues (2013): http://www.educause.edu/research-and-publications/research/top-10-it-issues

Judith Piriana’s research paper: Two Institutions Practical IT Risk Management Experiences:http://net.educause.edu/ir/library/pdf/ecar_so/erb/ERB1306.pdf

Strategic IT Risks Matched with EDUCAUSE Top 10 IT Issues: IT Risk management : Try this atexercises your institution: http://www.educause.edu/ero/article/it-risk-management-try-exercise-your-institution

Office of Government Commerce: Management_of_Risk - http://www.mor-officialsite.com/home/home.aspx

UoO Risk Management policy: http://www.admin.ox.ac.uk/riskmgt/

Learning While Doing ; Two Institution’s Practical IT Risk Management Experiences, ECARResearch Bulletin; Judith A Pirani

http://net.educause.edu/ir/library/pdf/ECARpollAPR2013.pdf

http://www.educause.edu/research-and-publications/research/top-10-it-issues


http://net.educause.edu/ir/library/pdf/ecar_so/erb/ERB1306.pdf

http://www.educause.edu/ero/article/it-risk-management-try-exercise-your-institution


http://www.mor-officialsite.com/home/home.aspx


http://www.admin.ox.ac.uk/riskmgt/

































http://net.educause.edu/ir/library/pdf/ECARpollAPR2013.pdf

Documents

IT Risk Assessment: Two Universities Share Their Methodologies (175075067)