Skip to main content

System Status: 

IT Risk Assessment

The Office of Information Assurance operates a service to perform IT risk assessments in accordance with University of California BFB-IS-3. Please see below for guidance on how to get started.

Note: When conducting an IT risk assessment, it is essential to understand the scope of your environment and the assets. This information is needed to begin the review.

Step 1: Prepare

To begin this process, it is important to define the scope of the IT environment that is being requested. This will require a technical understanding of the environment. The scope of your environment is dependent on the service or process and any specific laws and regulations that may require your unit to implement specific controls.

The preparation phase is intended to help units understand their environment but also, gather documentation for an IT risk assessment.

Below is recommended guidance to prepare for an IT risk assessment:

  • Understand and determine roles and responsibilities tied to your unit as described in IS-3.
    • Please contact OIA-RC for further assistance.
  • Identify scope of assessment.
    • Identify assets (systems, data, data protection level, devices, individuals, suppliers, cloud systems, etc.) within the requested scope.
  • Gather any current documentation to support the management of identified scope.
    • Documentation may include the following:
      • Inventory lists
      • Standard Operating Procedures (SOPs)
      • Data flow diagrams
      • Network Architecture diagrams
      • System Security Plans (SSPs)
  • Share any laws, regulations, standards, policies that are applicable to the work.
  • Please fill out the IT Risk Assessment Intake Form.

Once you have gathered information, move to Step 2.

Step 2: Conduct the IT Risk Assessment

To start your request for an IT Risk Assessment, please create a ServiceNow ticket to get started on this process and attach any documentation (mentioned in the Prepare phase above) within the ticket to help with the review.

  • In the ticket subject, please state your unit name and include "IT Risk Assessment"
  • Add information in the description about what is being requested
  • Attach the completed IT Risk Assessment Intake Form and any other documentation mentioned in Step 1
  • If you would like to see a draft of the IT Risk Assessment template to understand more about the process, please let us know within the ticket and we can send it when we reply to the ticket
Once a ticket is generated, OIA-RC will reach out to the unit requesting the IT Risk Assessment process and begin the process.

Step 3: Risk Assessment Results

An IT Risk Assessment report will be provided upon completion. The identified deficiencies and recommendations, if any, should be addressed in consultation with your Unit Head and Unit Information Security Lead.