IT Risk Assessments

Key IT Risk Assessment Program Principles:

Security is a shared responsibility and everyone has a role to play;
In continuous risk management, risk assessment is key;
Units have responsibility in managing their own information security risk; and
“Risk” and “Priority” classifications primarily inform risk level and security controls.

Standards

VT IT Risk Assessment Standard – Covers inventory, classification and risk assessment of VT-owned technology resources and internally developed software applications. Also covers the risk model, risk analysis methodology, risk ownership/acceptance, risk treatment, and university departmental/org unit responsibilities for recurring IT risk assessment.

VT IT Vendor Risk Assessment Standard – Covers requirements for ITSO security evaluation/assessment of third-party service providers/vendors handling university data; including the identification and analysis of security risks, risk ownership/acceptance, risk treatment, and requirements for periodic reassessment of service providers with specific compliance objectives.

IT Risk Assessment Documentation

Isora GRC Assessment Guide (PDF)

Related Resources

IT Risk Assessment Metrics

Minimum Security Standards v4.0

Standard for High-Risk Digital Data Protection

Virginia Tech Risk Classifications