Skip to main content

System Status: 

  1. Home
  2. Technology
  3. Security
  4. Services
  5. IT Risk Assessment

IT Risk Assessment

Last Updated: June 24, 2026 1:23:59 PM PDT
Give feedback

The Office of Information Assurance operates a service to perform IT risk assessments in accordance with University of California BFB-IS-3. Please see below for guidance on how to get started.

Note: When conducting an IT risk assessment, it is essential to understand the scope of your environment and the assets. This information is needed to begin the review.

Step 1: Prepare

To begin this process, it is important to define the scope of the IT environment that is being requested. This will require a technical understanding of the environment. The scope of your environment is dependent on the service or process and any specific laws and regulations that may require your unit to implement specific controls.

The preparation phase is intended to help units understand their environment but also, gather documentation for an IT risk assessment.

Below is recommended guidance to prepare for an IT risk assessment:

  • Understand and determine roles and responsibilities tied to your unit as described in IS-3.
    • Please contact OIA-RC for further assistance.
  • Identify scope of assessment.
    • Identify assets (systems, data, data protection level, devices, individuals, suppliers, cloud systems, etc.) within the requested scope.
  • Gather any current documentation to support the management of identified scope.
    • Documentation may include the following:
      • Inventory lists
      • Standard Operating Procedures (SOPs)
      • Data flow diagrams
      • Network Architecture diagrams
      • System Security Plans (SSPs)
  • Share any laws, regulations, standards, policies that are applicable to the work.

Once you have gathered information, move to Step 2.

Step 2: Conduct the IT Risk Assessment

To officially initiate your request, Please submit an IT Risk Assessment request using this Kuali request form: IT Risk Assessment Request Form. Ensure you attach all relevant documentation regarding the Institutional Information or IT Resource being assessed.

Step 3: Risk Assessment Results

Once complete, the final IT Risk Assessment Report will be automatically emailed to the requestor directly from the Kuali system.

If the report identifies any deficiencies or recommendations, you should address them in consultation with your Unit Head and Unit Information Security Lead.