Skip to main content

System Status: 

  1. Home
  2. Technology
  3. Security
  4. Services
  5. IT Risk Assessment

IT Risk Assessment

Last Updated: July 21, 2025 10:14:48 AM PDT
Give feedback

The Office of Information Assurance operates a service to perform IT risk assessments in accordance with University of California BFB-IS-3. Please see below for guidance on how to get started.

Note: When conducting an IT risk assessment, it is essential to understand the scope of your environment and the assets. This information is needed to begin the review.

Step 1: Prepare

To begin this process, it is important to define the scope of the IT environment that is being requested. This will require a technical understanding of the environment. The scope of your environment is dependent on the service or process and any specific laws and regulations that may require your unit to implement specific controls.

The preparation phase is intended to help units understand their environment but also, gather documentation for an IT risk assessment.

Below is recommended guidance to prepare for an IT risk assessment:

  • Understand and determine roles and responsibilities tied to your unit as described in IS-3.
    • Please contact OIA-RC for further assistance.
  • Identify scope of assessment.
    • Identify assets (systems, data, data protection level, devices, individuals, suppliers, cloud systems, etc.) within the requested scope.
  • Gather any current documentation to support the management of identified scope.
    • Documentation may include the following:
      • Inventory lists
      • Standard Operating Procedures (SOPs)
      • Data flow diagrams
      • Network Architecture diagrams
      • System Security Plans (SSPs)
  • Share any laws, regulations, standards, policies that are applicable to the work.

Once you have gathered information, move to Step 2.

Step 2: Conduct the IT risk assessment

To start your request for an IT Risk Assessment, please create a SNOW ticket to get started on this process and provide documentation (mentioned in the Prepare phase above) to help with the review.

OIA-RC will reach out to begin the IT Risk Assessment process.

Step 3: Risk Assessment Results

An IT Risk Assessment report will be provided upon completion. The identified deficiencies and recommendations, if any, should be addressed in consultation with your Unit Head and Unit Information Security Lead.