IT Risk Register Introduction

 
Risk management is perceived as being hard to do, and institutions struggle to know where to begin. In fact, a 2014 ECAR
study found that 81% of colleges and universities do not consider IT risk in their institutional strategic plans.1 Nonetheless,
risk management is an important process that can help institutions identify, analyze, and prioritize the risks that may impact
their ability to meet strategic goals.
 
Traditional IT risk-management processes start with risk identification, in which institutions inventory their IT systems and
data and create an individualized list of the risks faced by each system. This can be a significant undertaking, often made
more difficult by institutional culture and resource constraints. Because the risk inventory itself involves so much effort, the
next step in the process—addressing those risks at a strategic level—often seems so daunting that many institutions don’t do
it. Nevertheless, strategically addressing IT risk is a vital part of risk management. Rather than simply identifying risks related
to physical inventories of assets in isolation, a strategic approach focuses on IT’s impact (or lack thereof) on institutional
goals.

The EDUCAUSE IT GRC Advisory Group created this IT Risk Register for institutional IT departments to get their strategic IT
risk-management programs off the ground. The IT Risk Register is a sortable checklist that identifies common strategic IT risks
and catalogues those risks according to common risk types and IT domains. It also contains a resource to help institutions
conduct a qualitative risk assessment of the items listed in the register. Institutions can use this tool to jumpstart or improve
their own IT risk-management programs. For instance, if an institution is just starting a risk-management program, the
register can be used to pre-populate lists of risks for the institution to consider in its analysis. For an institution that already
has a risk-management program, the register can be consulted to make sure that the institution has not inadvertently
omitted any key risks.
 
This IT Risk Register supplements an institution's own thoughtful IT risk-management process. Institutions should note that
the list of risks presented in this register is not exhaustive. Instead, it is a starting point for considering how to look at
strategic risks within an IT organization. Not all risks will apply to all institutions. In addition, this risk register is not a risk-
assessment tool or template. It does not prioritize risks against one another, nor does it spell out a particular method for
evaluating the costs and benefits of addressing the identified risks. It is hoped, however, that the examples provided in this
list will lead higher education institutions toward a more strategic and holistic appreciation of IT risk and an ability to
integrate IT risk into the broader institutional risk profile.
 
---------------------------------
1See Bichsel, Jacqueline, and Patrick Feehan. Getting Your Ducks in a Row: IT Governance, Risk, and Compliance Programs in
Higher Education. ECAR, June 2014. Available from http://www.educause.edu/library/resources/it-governance-risk-and-
compliance-higher-education
© EDUCAUSE 2015
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License (CC BY-NC-
SA 4.0).

Brought to You by the EDUCAUSE IT Governance, Risk, and Compliance Program

This risk register and the member advisory council that created it are part of the EDUCAUSE IT Governance, Risk, and
Compliance program. The program provides resources that help IT professionals define and implement IT GRC activities on
their campuses. Learn more and view additional resources at www.educause.edu/it-grc

 
 
their campuses. Learn more and view additional resources at www.educause.edu/it-grc

 
 
begin. In fact, a 2014 ECAR
ategic plans.1 Nonetheless,
tize the risks that may impact

entory their IT systems and

undertaking, often made
involves so much effort, the
hat many institutions don’t do
imply identifying risks related
thereof) on institutional

nts to get their strategic IT

tifies common strategic IT risks
source to help institutions
tool to jumpstart or improve
agement program, the
or an institution that already
n has not inadvertently

nstitutions should note that

idering how to look at
s risk register is not a risk-
ut a particular method for
e examples provided in this
T risk and an ability to

and Compliance Programs in

s/it-governance-risk-and-

ernational License (CC BY-NC-

Governance, Risk, and

plement IT GRC activities on
 How to Use
 
Items in this IT Risk Register can be sorted by risk type, which is based on the consequences that an institution can expect to
risk types are used in this register:
Compliance: Risks that relate to a potential violation of a law or regulation or an institutional policy or requirement
Financial: Risks that impact the institution’s financial resources or financial operations
System/Service/IT Life Cycle: Risks that impact the provisioning of IT systems and services
Operational: Risks that impact the day-to-day operation of IT systems and services
Reputational: Risks that negatively affect institutional image, standing, or character
Strategic: Risks that may have a lasting impact on an institution’s ability to pursue its overarching mission or strategic goals
 
Risks in the IT Risk Register can also be sorted by IT domain. For the most part, the IT domain categories used in this register c
in the EDUCAUSE Core Data Service.2 This mapping enables institutions that complete the CDS survey each year to cross-refer
CDS for their own risk-management activities. The following IT domain categories are used in this register:
Administration and Management of IT (CDS Module 1)
IT Support Services (CDS Module 2)
Educational Technology Services (CDS Module 3)
Research Computing Services (CDS Module 4)
Data Centers (CDS Module 5)
Communications Infrastructure Services (CDS Module 6)
Enterprise Infrastructure and Services (Used throughout CDS)
Information Security (CDS Module 7)
Identity Management (CDS Module 7)
Information Systems and Applications (CDS Module 8)
Business Continuity (IT domain area added by the IT GRC Advisory Panel)
 
The risks are listed in the register in the following ways:
Worksheet tab called “Risk List Unsorted.” This lists of all of the risks in the IT Risk Register, with notes about the causes and i
and source information for a particular risk have been included on this tab for further reference.
Worksheet tab called “Sort by Risk Type.” This lists of all of the risks in the IT Risk Register, sorted by type. An institution that w
example, could filter the list according to the “compliance” column.  
Worksheet tab called “Sort by IT Domain.” This lists of all of the risks in the IT Risk Register, sorted by IT domain (using the de
An institution that wants to view only “identity management” risks, for example, could filter the list according to the “identity
A notes column is included on the “Sort by Risk Type” and “Sort by IT Domain” worksheets for institutions to add their own n
Institutions may add their own columns and rows on each sheet to customize the register as necessary.

The IT Risk Register also contains a qualitative risk assessment template ( the worksheet called "Risk Assessment") to assess t
to be realized. Risks can be assessed according to three measures:

Likelihood: How likely it is for the risk to be realized?

1 = Low. Events that are unlikely to happen within a year.
2 = Medium. Events that are somewhat likely to happen within a year.
3 = High. Events that are likely to happen within a year.

Impact: What is the impact to the institution if the risk is realized?

1 = Low. Little or no effect on the institution; low costs/reputational damage.
2 = Medium. Moderate effect on the institution; moderate costs/reputational damage.
3 = High. Significant effect on the institution; severe costs/reputational damage.
Velocity: What is the speed with which the institution will feel the impact if the risk is realized (also considered an impact tim
1 = Low. Institution will feel the impact of the realized risk effects in 12+ months.
2 = Medium. Institution will feel the impact of the realized risk effects in 6-12 months.
3 = High. Institution will feel the impact of the realized risk effects in 0-6 months.

The product of these three measures can be used to help institutions prioritize their risk response activities. Higher scores co
for an institution to address. The risk assessment template also uses color (red = high; yellow = medium; green = low) to indi
---------------------------------
1
See EDUCAUSE Core Data Service IT domain definitions, available at: http://www.educause.edu/research-and-publications/r
service/it-domain-definitions
2
EDUCAUSE Core Data Service, available at: http://www.educause.edu/research-and-publications/research/core-data-service
3 = High. Institution will feel the impact of the realized risk effects in 0-6 months.

The product of these three measures can be used to help institutions prioritize their risk response activities. Higher scores co
for an institution to address. The risk assessment template also uses color (red = high; yellow = medium; green = low) to indi
---------------------------------
1
See EDUCAUSE Core Data Service IT domain definitions, available at: http://www.educause.edu/research-and-publications/r
service/it-domain-definitions
2
EDUCAUSE Core Data Service, available at: http://www.educause.edu/research-and-publications/research/core-data-service
at an institution can expect to face if the risk were realized. The following

olicy or requirement

g mission or strategic goals

ategories used in this register correspond directly to the IT domains1 used

survey each year to cross-reference risks on this list with data entered in
his register:

h notes about the causes and impacts of each risk. In some instances, notes
e.
d by type. An institution that wants to view only “compliance” risks, for

ed by IT domain (using the definitions provided by the Core Data Service).

e list according to the “identity management” column.  
nstitutions to add their own notes related to a listed risk.
cessary.

"Risk Assessment") to assess the potential for the risks listed in the register

also considered an impact time horizon)?

nse activities. Higher scores correlate to a risk that may be more important
medium; green = low) to indicate higher scores.

u/research-and-publications/research/core-data-service/about-core-data-

ns/research/core-data-service
nse activities. Higher scores correlate to a risk that may be more important
medium; green = low) to indicate higher scores.

u/research-and-publications/research/core-data-service/about-core-data-

ns/research/core-data-service
ID No. Risk Statement
1 IT governance and priorities not aligned with institutional
priorities
2 Failure to designate leadership (e.g., an individual or
individuals) for institutional oversight and strategic direction for
IT operations
3 Failure to designate leadership (e.g., an individual or
individuals) for institutional oversight and strategic direction for operations
information security activities
4 No succession plan for key institutional IT leaders (e.g., CIO,
CISO, CTO, CPO, etc.)
5 Relevant stakeholders not included in important IT investment
decisions (e.g., priorities, technologies, new applications)
6 IT assets (e.g., hardware, devices, data, and software) and
systems not prioritized based on their classification, criticality,
and institutional value
Risk Causes Risk Impacts
IT failure to understand institutional strategy; lack of institutional Poor governance of enterprise IT; inability to use IT to
support for IT operations strategically support institutional mission (admissions,
research, institutional operations, outreach to the community);
inability to enhance, improve, or increase the provision of
enterprise IT operations; inefficiencies and duplication of effort;
poor perception/reputation of enterprise IT
Lack of institutional support for IT operations Poor governance of enterprise IT; inability to use IT to
strategically support institutional mission (admissions,
research, institutional operations, outreach to the community);
inability to enhance, improve, or increase the provision of
enterprise IT operations; creation of fiefdoms leading to
inefficiencies and duplication of effort
Lack of institutional support for IT and information security Poor governance of enterprise information security efforts;
inability to enhance, improve, or increase the effectiveness of
institutional information security; data breaches; failure to meet
regulatory compliance requirements; regulatory fines and
expenses
Lack of institutional support for IT operations; human nature not Leadership void in the event of separation of a key IT leader
to plan for succession activities; lack of qualified internal staff from the institution
for succession planning
Lack of senior management support; stakeholders fail to Uses of university IT systems that contravene good investment
understand IT investment decisions (or provision of IT services decision making; poor governance of enterprise IT; inability to
in general); inability to identify stakeholders use IT to strategically support institutional mission (admissions,
research, institutional operations, outreach to the community);
inability to enhance, improve, or increase the provision of
enterprise IT operations; inefficiencies and duplication of effort;
increased cost for providing IT services; poor
perception/reputation of enterprise IT
Lack of senior management support; complexity of business Multiple redundant resources in place (inefficient and costly for
processes and automated systems; lack of funding and tools the institution); lack of institutional knowledge about where IT
for prioritization efforts; failure to update prioritization when resources, systems, and data are located; inability to
conditions change; stakeholder failure to agree on resource implement business continuity plans to support institutional
prioritization operations; financial losses due to replacement of nonpriority
systems; inability to execute strategic projects
 7 IT assets (e.g., hardware, devices, data, and software),
systems, and services outdated, do not support institutional
needs (admissions, academic, business operations, research,
etc.)
Complex and inflexible institutional enterprise IT architecture
(not scalable for current needs); failure to adopt new IT
infrastructure and/or services in a timely manner to support
institutional needs
Poor governance of enterprise IT; inability to use IT to
strategically support institutional mission (admissions,
research, institutional operations, outreach to the community);
inability to provide needed business, academic, research
services; inability to enhance, improve, or increase the
provision of enterprise IT operations; increased cost for
providing IT services; failure to support user IT needs; poor
perception/reputation of enterprise IT

8 IT management aims and directions not communicated to
critical user areas
Lack of senior management support; failure to understand IT
management priorities; failure to prioritize communications to
critical user areas; lack of multiple communication channels
(e.g., e-mail, print media, other electronic media) to convey
information to user areas; failure of users to pay attention
Uses of university IT systems that contravene management
aims; poor governance of enterprise IT; inability to use IT to
strategically support institutional mission (admissions,
research, institutional operations, outreach to the community);
inability to enhance, improve, or increase the provision of
enterprise IT operations; inefficiencies and duplication of effort;
poor perception/reputation of enterprise IT

9 Lack of shared understanding by IT and business units that
affects IT service delivery and projects
Lack of senior management support; failure of IT staff to
understand business processes and how IT services can
benefit those process; failure of business staff to understand IT
processes; inability to identify and document business
processes; mutual disrespect
Inability to use IT to strategically support institutional mission
(admissions, research, institutional operations, outreach to the
community); inability to enhance, improve, or increase the
provision of enterprise IT operations to support business,
academic, or research processes; increased cost for providing
IT services; failure of business process reengineering; distrust
between organizational units

10 IT projects not managed in terms of budget, scheduling, scope, Lack of senior management support; complexity of IT systems;
priority, and delivery complexity of cross-institutional IT projects; failure to assign a
project manager or implement project management
methodologies when engaging in IT projects; failure to inform
stakeholders about project changes
Poor governance of enterprise IT; inability to use IT to
strategically support institutional mission (admissions,
research, institutional operations, outreach to the community);
inability to enhance, improve, or increase the provision of
enterprise IT operations; increased cost for providing IT
services; failure of IT projects; poor perception/reputation of
enterprise IT

11 No process for identifying and allocating costs attributable to IT Lack of senior management support; complexity of IT systems;
services complexity of institutional cost-allocation process; inability to
calculate TCO of providing IT services; failure to account for
indirect costs such as software license and upgrade fees
Poor governance of enterprise IT; inability to use IT to
strategically support institutional mission (admissions,
research, institutional operations, outreach to the community);
inability to enhance, improve, or increase the provision of
enterprise IT operations; increased cost for providing IT
services

12 No process for measuring and managing IT performance
Lack of senior management support; complexity of IT
infrastructure; lack of funding and tools for performance
management or metrics; insufficient staff to attend to
performance management; failure to inform institutional
audience about performance management
Poor governance of enterprise IT; inability to use IT to
strategically support institutional mission (admissions,
research, institutional operations, outreach to the community);
inability to enhance, improve, or increase the provision of
enterprise IT operations; increased cost for providing IT
services
13 No process for managing IT problems to ensure they are
adequately resolved or for investigating causes to prevent
recurrence
14 Incorrect information on public-facing institutional resources
(e.g., website, social media streams)
15 Critical institutional business and academic data (e.g.,
admissions, business operations, research, etc.) not available
when needed
16 Loss of access—for an unacceptable period of time—to IT
systems and services hosted by another organization
17 IT communications and networks not protected from complete
or intermittent failure
Lack of senior management support; complexity of IT
infrastructure; lack of funding and tools for service
management; insufficient staff to attend to service
management; failure to inform institutional audience about
support processes; insufficiently skilled staff to investigate and
resolve problems
Information on public websites out of date; internal posting
mistakes made by staff; intentional or unintentional vandalism
Hardware failure; software failure; data deleted; facility
destroyed; equipment lost/misplaced/stolen; lack of adequate
backups; lack of source documents or input files; data on
backups corrupted; backups unavailable (e.g., lost, stolen,
missing); failure to make appropriate arrangements with
vendors to provide redundant or support services; lack of
understanding recovery point objective (RPO—how much data
can be lost and recreated); failure to conduct, maintain, and
periodically test backups
Internet or campus network failure; hardware failure; software
failure; data deleted; facility destroyed; equipment
lost/misplaced/stolen (can be on the part of vendor or on
institutional systems that interact with vendor systems); failure
of authentication systems (vendor or institution); failure to make
appropriate arrangements with vendors to provide redundant or
support services; failure to develop and update business
continuity strategies; failure to test business continuity plans;
establishing unrealistic recovery time objectives (RTOs); lack of
understanding of specific business objectives and critical
processes
Internet or campus network failure; hardware failure; software Loss of communications within and beyond campus network;
failure; facilities destroyed; equipment lost/misplaced/stolen; failure of IT services; failure of emergency notification services;
intentional or unintentional vandalism; lack of redundant institutional reputation loss; poor perception/reputation of IT
systems or IT resources; lack of funding to support redundancy;
failure to develop and update business continuity strategies;
failure to test business continuity plans
Unable to address user problems in IT systems in a reliable
manner; inefficient processing of support tasks (failure to gain
efficiencies by tracking similar issues); inability to identify
recurring issues; inability to prioritize support requisitions;
failure to support business and academic processes; poor
perception/reputation of IT
Institutional website unavailable for a period of time; staff and
resource costs to repair website; institutional reputation loss;
poor perception/reputation of IT
Failure of business processes (e.g., payroll, tax, HR functions);
inability to execute on institutional mission; inability to
participate in research activities; costs of outsourcing functions
for a period of time; costs to recover data; regulatory
implications for failure to meet legal or contractual
requirements; institutional reputation loss; poor
perception/reputation of IT
Failure of business, academic, or research processes; inability
to execute on institutional mission; costs of outsourcing
functions for a period of time; costs to recover data; regulatory
implications for failure to meet legal or contractual
requirements; institutional reputation loss; poor
perception/reputation of IT
18 Areas housing critical IT assets (e.g., hardware, devices, data, Smoke, biological or chemical agents, asbestos, other hazards; IT personnel unable to access an area; emergency responders
and software) or services physically inaccessible, inoperable, lock failures; intentional or unintentional vandalism; natural unable to access an area; unauthorized personnel possibly
or unsuitable for human access disaster damage; access to facility not controlled able to access the area; IT systems disabled or tampered with;
failure of IT systems; theft of critical IT systems; theft of
institutional data; unable to bring IT or other critical systems
back online; destruction of backups of software, configurations,
data, or logs

19 Failure to make adequate plans for continuation of institutional Hardware failure; software failure; data deleted; facility Unable to recover systems and data to support business,
business processes (e.g., admissions, academic, operational destroyed; equipment lost/misplaced/stolen; lack of senior academic, and research processes and activities in a timely
activities, and research) in the event of an extended IT outage management support; complexity of business processes and manner; staff unable to understand roles/responsibilities; staff
automated systems; lack of funding and tools to support and resource expense to return to operations; failure to support
continuity planning efforts; failure to update business continuity institutional mission; institutional reputation loss; poor
strategies; failure to test business continuity plans; failure to perception/reputation of IT
ensure staff understand roles and responsibilities; failure to
incorporate lessons learned into strategies; failure to address
all phases of business continuity; establishing unrealistic
recovery time objectives (RTOs); lack of understanding of
specific business objectives and critical processes; lack of
prioritization of critical business and IT processes; failure to
make appropriate arrangements with vendors to provide
redundant or support services

20 No coordinated vetting and review process for third-party or
cloud-computing services used to store, process, or transmit
institutional data
Lack of senior management support; lack of communication of Multiple redundant services in place (inefficient and costly for
central vetting process to staff/employees; failure to understand the institution); institution unaware who its business partners
the need to protect institutional data are; institution unaware if institutional data are held by third
parties; institution unable to ensure that third parties are
following compliance requirements

21 Failure to create and maintain sufficient and current policies
and standards to protect the confidentiality, integrity, and
availability of institutional data and IT resources (e.g.,
hardware, devices, data, and software)
Lack of senior management support; failure to understand
information security concepts; lack of funding to support policy
development activities; lack of funding for training; lack of user
training
Improper use of university IT systems and institutional data;
failure of users to protect critical institutional data when using IT
resources (leading to data breach); institution subject to
regulatory violations and fines; institutional reputation loss; poor
perception/reputation of IT

22 Data breach or leak of sensitive information (e.g., academic,
business, or research data)
Lack of senior management support; complex regulatory
environments impacting higher education IT systems and data
(e.g., FERPA, HIPAA, GLBA, PCI, accessibility, export
controls, etc.); complexity of IT systems, infrastructure, and
services; lack of funding for data handling training; lack of user
training; intentional user malfeasance; unintentional user error;
hacking or infiltration by third parties
Institution subject to regulatory violations and fines; costs of
breach notification; costs of redress for individuals; loss of
alumni donations; loss of research data; costs to mitigate
underlying breach event; institutional reputation loss; poor
perception/reputation of IT
23 Inadequate cyber security incident or event response
24 Failure to control logical access and incorporate principles of
least functionality to IT resources (e.g., hardware, devices,
data, and software) and systems
25 Failure to control physical access to data centers/facilities and
areas housing critical IT resources (e.g., hardware, devices,
data, and software) and systems
26 Failure to follow organized life-cycle management practices
(development, acquisition, use, transfer, repair, replacement,
destruction) for institutional IT resources and systems
27 Failure to document institutional IT infrastructure architecture Lack of senior management support; complexity of IT
and to implement change-control processes (including creating, processes and systems; lack of funding and tools to support
maintaining, and revising baseline IT system configurations)
Lack of senior management support; complexity of business
processes and automated systems; lack of funding and tools to
support security incident response; failure to update incident
response strategies; failure to test incident response plans; lack
of staff with incident response expertise
Failure to use authentication systems; failure of authentication
systems; authentication systems easily disabled; giving user
access to more systems and assets than is needed to complete
staff tasks; failure to remove access when user separates from
the institution or changes job duties; lack of staff with identity
management expertise
Failure to use physical locks; failure of physical locks; physical Unauthorized access to facilities or IT systems; IT systems
locks easily disabled; failure to use authentication systems;
failure of authentication systems; authentication systems easily IT systems; theft of institutional data
disabled
Lack of senior management support; complexity of IT
processes and systems; lack of funding and tools to support
life-cycle management efforts; failure to update documentation
when conditions change; insufficient staff to attend to task
efforts; failure to train IT staff on life-cycle management
processes (including equipment removal and destruction, data
deletion)
change-control processes and efforts; failure to update
documentation when conditions change; insufficient staff to
attend to task efforts; failure to train IT staff on change-control
processes
Unable to recover systems and data to support business,
academic, and research processes and activities in a timely
manner; staff and resource expense to return to operations
following a security incident; unable to assist in legal
investigations related to an incident; institutional reputation
loss; poor perception/reputation of IT
Unauthorized access to IT systems; IT systems disabled or
tampered with; failure of IT systems; theft of critical IT systems;
theft of institutional data; users mistakenly given more system
access than is needed to complete job duties; inability to
maintain the confidentiality of data in institutional systems
disabled or tampered with; failure of IT systems; theft of critical
Multiple redundant resources in place (inefficient and costly for
the institution); institution unaware where its IT resources and
systems are located; institution unaware how its data are
transmitted or where its data are; institution unaware if IT
resources or institutional data are held by third parties;
institution unable to ensure its own or third-party adherence to
compliance requirements; inability to support, prioritize, or
understand criticality of systems for business continuity
purposes; financial losses due to replacement of misplaced
systems; regulatory fines for improper disposal of resources
and/or data (data breach or toxic waste disposal); institutional
reputation loss
Multiple redundant resources in place (inefficient and costly for
the institution); inability to support, prioritize, or understand
criticality of systems for business continuity purposes; inability
to provide a baseline configuration of successful IT operations;
failure to understand the effect of IT configuration changes on
business system processes; multiple departments making
uncoordinated changes to IT systems; financial losses due to
duplicative changes and required rollbacks
28 Institutional IT communication and data flows not documented Lack of senior management support; complexity of IT
processes and systems; lack of funding and tools for mapping
efforts; failure to update maps/data flows when conditions
change; insufficient staff to attend to task efforts
29 Licenses and permits for institutional IT systems and software Lack of senior management support; complexity of IT
not maintained infrastructure and software licensing requirements; lack of
funding and tools for licensing management; insufficient staff to institutional reputation loss; poor perception/reputation of IT
attend to acquisition efforts; failure to train IT staff on the need
for software/hardware licenses
30 No process for ensuring institutional data remain complete, Lack of senior management support; complexity of business
accurate, and valid during input, update, and storage processes and automated systems; failure to ensure staff
understand roles and responsibilities; failure to train staff on
proper data entry; failure to incorporate automated processes
to ensure valid data entry; failure to log data changes
31 Audit logs on critical IT systems and processes not maintained Lack of senior management support; complexity of IT Unable to understand and recreate anomalies experienced in
infrastructure; lack of funding and tools for log management; IT systems; unable to perform forensic analysis
lack of space to store logs; lack of tools to review and manage
log entries; insufficient staff to attend to log management;
32 Too few IT staff to ensure continuous IT system operations Inability to recruit and retain sufficient numbers of competent IT
staff needed to support enterprise IT operations; failure to
maintain the staffing levels or skill sets needed to support
enterprise IT operations; any personal situation that renders
personnel unable to attend to institutional duties (military
service, family obligations, natural disaster, death); single
expert in field separates from employment with institution;
vendor personnel unavailable under similar scenarios as
presented above; inability to be physically present on campus
due to a natural disaster or civil disturbance
33 Users (e.g., students, faculty, staff, administrators, third parties) Lack of senior management support; complex regulatory
do not follow legal and regulatory requirements regarding the environments impacting higher education IT systems and data
operation/use of IT systems and the use of institutional data (e.g., FERPA, HIPAA, GLBA, PCI, accessibility, export
controls, etc.); lack of funding for training; lack of user training
Multiple redundant services/communication flows in place
(inefficient and costly for the institution); institution unaware
how its data are transmitted or where its data are; institution
unaware if institutional data are held by third parties; institution
unable to ensure its own or third-party adherence to
compliance requirements; inability to support, prioritize, or
understand criticality of systems for business continuity
purposes
Operation of IT resources and software in a manner that
violates contractual terms; institution subject to contract liability;
Failure of business, academic, or research processes; inability
to execute on institutional mission; costs of outsourcing
functions for a period of time; costs to recover data; regulatory
implications for failure to meet legal or contractual
requirements; loss of integrity in automated systems
Inability to enhance, improve, or increase the provision of
enterprise IT operations; unable to operate/recover systems
and data to support to support business, academic, and
research processes and activities; overreliance on key staff;
low employee morale; increased employee turnover; failure to
support institutional mission
Improper use of university IT systems and institutional data;
failure of users to protect critical institutional data when using IT
resources (leading to data breach); institution subject to
regulatory violations and fines; institutional reputation loss
34 Users (e.g., students, faculty, staff, administrators, third parties) Lack of senior management support; complex university Improper use of university IT systems and institutional data;
do not follow university policies regarding the operation/use of policies impacting higher education IT systems and data; lack failure of users to protect critical institutional data when using IT
IT systems and the use of institutional data of funding for training; lack of user training resources (leading to data breach); institution subject to
regulatory violations and fines; institutional reputation loss
Additional Notes Risk Citation
COBIT 5, EDM 1.01-1.03, EDM 2.01 (COBIT Risk Scenario Project Management - Best practices for IT Professionals - R. Murch, 2001
Category 1, 10)

COBIT 5, EDM 1.01, APO 1.01, APO 7.01, APO 7.02 (COBIT
Risk Scenario Category 4, 10)

COBIT 5, APO 1.01, 7.01 (COBIT Risk Scenario Category 4)

COBIT 5, EDM 1.01, EDM 1.02, APO 7.01 (COBIT Risk Scenario
Category 4, 10)

COBIT 5, EDM 2.01, APO 5.03, APO 6.02, BAI 1.03 ISACA Publication, "Risk Scenarios, using COBIT 5 for Risk."

NIST Cybersecurity Framework; ISO/IEC 27001:2013 A.8.2.1;

NIST SP 800-53 Rev. 4 CP-2, RA-2, SA-14
COBIT 5, BAI 2.01 (COBIT Risk Scenario Category 6)
COBIT 5, APO 4.03-4.06 (COBIT Rick Scenario Category 7, 20) Association of College and University Auditors (ACUA), Risk Dictionary (used with
permission)

COBIT 5, EDM 2.01, APO 1.04 (COBIT Risk Scenario Category 1, Association of College and University Auditors (ACUA), Risk Dictionary (used with
10) permission)

COBIT 5, BAI 2.01, 3.01-3.05 (COBIT Risk Scenario Category 9) ISACA Publication, "Risk Scenarios, using COBIT 5 for Risk."

COBIT 5, BAI 1.02-1.13 (COBIT Risk Scenario Category 3) Project Management - Best practices for IT Professionals - R. Murch, 2001

COBIT 5, EDM 2.01-2.03, APO 6.03, BAI 3.04 (COBIT Risk Association of College and University Auditors (ACUA), Risk Dictionary (used with
Scenario Category 3) permission)

COBIT 5,BAI 4.05 (COBIT Risk Scenario Category 6) Association of College and University Auditors (ACUA), Risk Dictionary (used with
permission)
COBIT 5, DSS 6.04-6.05 (COBIT Risk Scenario Category 6) Association of College and University Auditors (ACUA), Risk Dictionary (used with
permission)

COBIT 5, APO 1.03, APO 1.08, DSS 5.01, DSS 5.07 (COBIT Risk ISACA Publication, "Risk Scenarios, using COBIT 5 for Risk."
Scenario Category 15, 16)

COBIT 5, DSS 1.01 (COBIT Risk Scenario Category 6, 7, 8, 9)

COBIT 5, BAI 3.04, APO 10.02-10.05 (COBIT Risk Scenario

Category 11)
See also Cloud Controls Matrix Working Group, Cloud Controls
Matrix, https://cloudsecurityalliance.org/group/cloud-controls-
matrix/

NIST Cybersecurity Framework;

ISO/IEC 27001:2013 A.13.1.1, A.13.2.1;
COBIT 5, DSS 5.02 (COBIT Risk Scenario Category 16)
NIST SP 800-53 Rev. 4 AC-4, AC-17, AC-18, CP-8, SC-7
COBIT 5, DSS 1.04-1.05; DSS 4.03-4.04; DCC 5.05 (COBIT Risk
Scenario Category 5, 14, 18, 19)

NIST Cybersecurity Framework;

ISO/IEC 27001:2013 A.17.1.3;
NIST SP 800-53 Rev.4 CP-4, IR-3, PM-14;
COBIT 5, DSS 4.03-4.04 (COBIT Risk Scenario Category 5, 13)

COBIT 5, BAI 3.04, APO 10.02-10.05 (COBIT Risk Scenario

Category 11)
See also Cloud Controls Matrix Working Group, Cloud Controls
Matrix, https://cloudsecurityalliance.org/group/cloud-controls-
matrix/

NIST Cybersecurity Framework;

ISO/IEC 27001:2013 A.5.1.1;
NIST SP 800-53 Rev. 4 -1 controls from all families

COBIT 5, MEA 3.01-3.03; DSS 5.02 (Risk Scenario Category 6, Association of College and University Auditors (ACUA), Risk Dictionary (used with
12) permission)
COBIT 5, APO 13.01-13.03, DSS 5.02, DSS 5.07 (COBIT Risk Association of College and University Auditors (ACUA), Risk Dictionary (used with
Scenario Category 15, 16) permission)

NIST Cybersecurity Framework; ISO/IEC 27001:2013 A.9.1.2;

NIST SP 800-53 Rev. 4 AC-3, CM-7
COBIT 5, DSS 1.04-1.05; DSS 4.03-4.04; DCC 5.05 (COBIT Risk
Scenario Category 5, 14)

COBIT 5, DSS 1.04-1.05; DSS 4.03-4.04; DCC 5.05 (COBIT Risk Association of College and University Auditors (ACUA), Risk Dictionary (used with
Scenario Category 5, 14, 18, 19) permission)

NIST Cybersecurity Framework;

ISO/IEC 27001:2013 A.8.2.3, A.8.3.1, A.8.3.2, A.8.3.3, A.11.2.7;
NIST SP 800-53 Rev. 4 CM-8, MP-6, PE-16
COBIT 5, APO 1.01, BAI 1.01, BAI 1.02-1.13, BAI 4.01-4.05
(COBIT Risk Scenario Category 2, 8, 9)

NIST Cybersecurity Framework;

ISO/IEC 27001:2013 A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2,
A.14.2.3, A.14.2.4;
NIST SP 800-53 Rev. 4 CM-3, CM-4, SA-10;
COBIT 5, BAI 4.04-4.05, BAI 10.04-10.05 (COBIT Risk Scenario
Category 8)
NIST Cybersecurity Framework;
ISO/IEC 27001:2013 A.13.2.1;
NIST SP 800-53 Rev. 4 AC-4, CA-3, CA-9, PL-8

COBIT 5, DSS 6.02 (COBIT Risk Scenario Category 5) Association of College and University Auditors (ACUA), Risk Dictionary (used with
permission)

COBIT 5, DSS 5.07, DSS 6.05 (COBIT Risk Scenario Category 6,

15)

COBIT 5, APO 7.01-7.05 (COBIT Risk Scenario Category 4 & 5)

COBIT 5, MEA 3.01-3.03; DSS 5.02, APO 1.01, APO 7.01-7.05

(Risk Scenario Category 6, 12, 17)
ISACA, Using COBIT 5 for Risk, "Risk Scenarios," and ISACA,
COBIT 5, "Enabling Processes."
NIST Cybersecurity Framework;
ISO/IEC 27001:2013 A.8.2.3, A.8.3.1, A.8.3.2, A.11.2.7;
NIST SP 800-53 Rev. 4 MP-6;
COBIT 5, MEA 3.01-3.03; DSS 5.02, APO 1.01, APO 7.01-7.05
(Risk Scenario Category 6, 12, 17);
ISACA, Using COBIT 5 for Risk, "Risk Scenarios," and ISACA,
COBIT 5, "Enabling Processes."
 IT
e/
ic
e rv
cl Se

l
na
e

l
na
nc

cy /
fe em

io
l

c
ti o
ia
ia

at

gi
nc

Li yst
pl

ra

ut

te
om

na

pe

ra
ep
S
ID No. Risk Statement

St
Fi

O
C

R
Critical institutional business and academic data (e.g., admissions, business operations, research, etc.) not available when
15 needed X X X X X
IT assets (e.g., hardware, devices, data, and software) and systems not prioritized based on their classification, criticality,
6 and institutional value X X X X
Failure to designate leadership (e.g., an individual or individuals) for institutional oversight and strategic direction for IT
2 operations X X X
Failure to designate leadership (e.g., an individual or individuals) for institutional oversight and strategic direction for
3 information security activities X X X
No coordinated vetting and review process for third-party or cloud-computing services used to store, process, or transmit
20 institutional data X X X
Failure to create and maintain sufficient and current policies and standards to protect the confidentiality, integrity, and
21 availability of institutional data and IT resources (e.g., hardware, devices, data, and software) X X X
Data breach or leak of sensitive information (e.g., academic, business, or research data)
22 X X X
Users (e.g., students, faculty, staff, administrators, third parties) do not follow legal and regulatory requirements regarding the
33 operation/use of IT systems and the use of institutional data X X X
Users (e.g., students, faculty, staff, administrators, third parties) do not follow university policies regarding the operation/use
34 of IT systems and the use of institutional data X X X
Licenses and permits for institutional IT systems and software not maintained
29 X X
Failure to make adequate plans for continuation of institutional business processes (e.g., admissions, academic, operational
19 activities, and research) in the event of an extended IT outage X X X
Relevant stakeholders not included in important IT investment decisions (e.g., priorities, technologies, new applications)
5 X X
Lack of shared understanding by IT and business units that affects IT service delivery and projects
9 X X
IT projects not managed in terms of budget, scheduling, scope, priority, and delivery
10 X X
No process for identifying and allocating costs attributable to IT services
11 X X
IT assets (e.g., hardware, devices, data, and software), systems, and services outdated, do not support institutional needs
7 (admissions, academic, business operations, research, etc.) X X
No process for measuring and managing IT performance
12 X X
No process for managing IT problems to ensure they are adequately resolved or for investigating causes to prevent
13 recurrence X X
Loss of access—for an unacceptable period of time—to IT systems and services hosted by another organization
16 X X
IT communications and networks not protected from complete or intermittent failure
17 X X
Areas housing critical IT assets (e.g., hardware, devices, data, and software) or services physically inaccessible, inoperable,
18 or unsuitable for human access X X
Inadequate cyber security incident or event response
23 X X
 Failure to control logical access and incorporate principles of least functionality to IT resources (e.g., hardware, devices,
24 data, and software) and systems X X
Failure to control physical access to data centers/facilities and areas housing critical IT resources (e.g., hardware, devices,
25 data, and software) and systems X X
Failure to document institutional IT infrastructure architecture and to implement change-control processes (including creating,
27 maintaining, and revising baseline IT system configurations) X X
Institutional IT communication and data flows not documented
28 X X
No process for ensuring institutional data remain complete, accurate, and valid during input, update, and storage
30 X X
Audit logs on critical IT systems and processes not maintained
31 X X
Too few IT staff to ensure continuous IT system operations
32 X X
Incorrect information on public-facing institutional resources (e.g., website, social media streams)
14 X X
No succession plan for key institutional IT leaders (e.g., CIO, CISO, CTO, CPO, etc.)
4 X
IT management aims and directions not communicated to critical user areas
8 X
Failure to follow organized life-cycle management practices (development, acquisition, use, transfer, repair, replacement,
26 destruction) for institutional IT resources and systems X
IT governance and priorities not aligned with institutional priorities
1
 c
gi
te
ra

Notes
St

X
X

X
 y
og

&
g

s
ol

&
in

em

ty
hn

t
ut

en
y

ui
s

e ns

ur

rit
p

in s yst
ec
ce
T

em

tin
om

ct

cu
En tur tio
fI

lT
vi

n S
In es stru

on
to

ag
e
er

c a
s C

rs

B atio on
es a

S
ru ic
tS
en

ic ion

an

C
ic ch

te

st un

i c ra

ic ti
n
en

pl ma
io

s
em

or

rv ar

M
rv Inf
rv at

f ra m

es
at
pp

Se ese
Se duc

C
e

In om

Ap for
ag

Se t.

rm

ti t
Su

a
an

In
en

us
R

C
E

fo
at
ID No. Risk Statement

IT
M

Id
D
Users (e.g., students, faculty, staff, administrators, third parties) do not follow legal and
regulatory requirements regarding the operation/use of IT systems and the use of
33 institutional data X X

Users (e.g., students, faculty, staff, administrators, third parties) do not follow university
34 policies regarding the operation/use of IT systems and the use of institutional data X X

8 IT management aims and directions not communicated to critical user areas X

Lack of shared understanding by IT and business units that affects IT service delivery and
9 projects X

32 Too few IT staff to ensure continuous IT system operations X

Failure to designate leadership (e.g., an individual or individuals) for institutional oversight

3 and strategic direction for information security activities X

Failure to designate leadership (e.g., an individual or individuals) for institutional oversight

2 and strategic direction for IT operations X

IT assets (e.g., hardware, devices, data, and software), systems, and services outdated,
do not support institutional needs (admissions, academic, business operations, research,
7 etc.) X

1 IT governance and priorities not aligned with institutional priorities X

10 IT projects not managed in terms of budget, scheduling, scope, priority, and delivery X

29 Licenses and permits for institutional IT systems and software not maintained X

11 No process for identifying and allocating costs attributable to IT services X

 4 No succession plan for key institutional IT leaders (e.g., CIO, CISO, CTO, CPO, etc.) X

Relevant stakeholders not included in important IT investment decisions (e.g., priorities,

5 technologies, new applications) X

No coordinated vetting and review process for third-party or cloud-computing services

20 used to store, process, or transmit institutional data X X

31 Audit logs on critical IT systems and processes not maintained X X

No process for ensuring institutional data remain complete, accurate, and valid during
30 input, update, and storage X X

No process for managing IT problems to ensure they are adequately resolved or for
13 investigating causes to prevent recurrence X X

28 Institutional IT communication and data flows not documented X X

IT assets (e.g., hardware, devices, data, and software) and systems not prioritized based
6 on their classification, criticality, and institutional value X

Failure to follow organized life-cycle management practices (development, acquisition,

26 use, transfer, repair, replacement, destruction) for institutional IT resources and systems X

12 No process for measuring and managing IT performance X

Loss of access—for an unacceptable period of time—to IT systems and services hosted

16 by another organization X X X X X

Areas housing critical IT assets (e.g., hardware, devices, data, and software) or services
18 physically inaccessible, inoperable, or unsuitable for human access X

17 IT communications and networks not protected from complete or intermittent failure X

Incorrect information on public-facing institutional resources (e.g., website, social media

14 streams) X
 Critical institutional business and academic data (e.g., admissions, business operations,
15 research, etc.) not available when needed X

22 Data breach or leak of sensitive information (e.g., academic, business, or research data) X

Failure to control physical access to data centers/facilities and areas housing critical IT
25 resources (e.g., hardware, devices, data, and software) and systems X

Failure to create and maintain sufficient and current policies and standards to protect the
confidentiality, integrity, and availability of institutional data and IT resources (e.g.,
21 hardware, devices, data, and software) X

23 Inadequate cyber security incident or event response X

Failure to control logical access and incorporate principles of least functionality to IT

24 resources (e.g., hardware, devices, data, and software) and systems X

Failure to document institutional IT infrastructure architecture and to implement change-

control processes (including creating, maintaining, and revising baseline IT system
27 configurations) X

Failure to make adequate plans for continuation of institutional business processes (e.g.,
admissions, academic, operational activities, and research) in the event of an extended IT
19 outage
X
X
X
B
us
i ne
ss
C
on

Notes
tin
ui
ty
X

X
X

X
ID No. Risk Statement
1 IT governance and priorities not aligned with institutional
priorities
2 Failure to designate leadership (e.g., an individual or
individuals) for institutional oversight and strategic direction for
IT operations
3 Failure to designate leadership (e.g., an individual or
individuals) for institutional oversight and strategic direction for operations
information security activities
4 No succession plan for key institutional IT leaders (e.g., CIO,
CISO, CTO, CPO, etc.)
5 Relevant stakeholders not included in important IT investment
decisions (e.g., priorities, technologies, new applications)
6 IT assets (e.g., hardware, devices, data, and software) and
systems not prioritized based on their classification, criticality,
and institutional value
Risk Causes Risk Impacts
IT failure to understand institutional strategy; lack of institutional Poor governance of enterprise IT; inability to use IT to
support for IT operations strategically support institutional mission (admissions,
research, institutional operations, outreach to the community);
inability to enhance, improve, or increase the provision of
enterprise IT operations; inefficiencies and duplication of effort;
poor perception/reputation of enterprise IT
Lack of institutional support for IT operations Poor governance of enterprise IT; inability to use IT to
strategically support institutional mission (admissions,
research, institutional operations, outreach to the community);
inability to enhance, improve, or increase the provision of
enterprise IT operations; creation of fiefdoms leading to
inefficiencies and duplication of effort
Lack of institutional support for IT and information security Poor governance of enterprise information security efforts;
inability to enhance, improve, or increase the effectiveness of
institutional information security; data breaches; failure to meet
regulatory compliance requirements; regulatory fines and
expenses
Lack of institutional support for IT operations; human nature not Leadership void in the event of separation of a key IT leader
to plan for succession activities; lack of qualified internal staff from the institution
for succession planning
Lack of senior management support; stakeholders fail to Uses of university IT systems that contravene good investment
understand IT investment decisions (or provision of IT services decision making; poor governance of enterprise IT; inability to
in general); inability to identify stakeholders use IT to strategically support institutional mission (admissions,
research, institutional operations, outreach to the community);
inability to enhance, improve, or increase the provision of
enterprise IT operations; inefficiencies and duplication of effort;
increased cost for providing IT services; poor
perception/reputation of enterprise IT
Lack of senior management support; complexity of business Multiple redundant resources in place (inefficient and costly for
processes and automated systems; lack of funding and tools the institution); lack of institutional knowledge about where IT
for prioritization efforts; failure to update prioritization when resources, systems, and data are located; inability to
conditions change; stakeholder failure to agree on resource implement business continuity plans to support institutional
prioritization operations; financial losses due to replacement of nonpriority
systems; inability to execute strategic projects
 7 IT assets (e.g., hardware, devices, data, and software),
systems, and services outdated, do not support institutional
needs (admissions, academic, business operations, research,
etc.)
Complex and inflexible institutional enterprise IT architecture
(not scalable for current needs); failure to adopt new IT
infrastructure and/or services in a timely manner to support
institutional needs
Poor governance of enterprise IT; inability to use IT to
strategically support institutional mission (admissions,
research, institutional operations, outreach to the community);
inability to provide needed business, academic, research
services; inability to enhance, improve, or increase the
provision of enterprise IT operations; increased cost for
providing IT services; failure to support user IT needs; poor
perception/reputation of enterprise IT

8 IT management aims and directions not communicated to
critical user areas
Lack of senior management support; failure to understand IT
management priorities; failure to prioritize communications to
critical user areas; lack of multiple communication channels
(e.g., e-mail, print media, other electronic media) to convey
information to user areas; failure of users to pay attention
Uses of university IT systems that contravene management
aims; poor governance of enterprise IT; inability to use IT to
strategically support institutional mission (admissions,
research, institutional operations, outreach to the community);
inability to enhance, improve, or increase the provision of
enterprise IT operations; inefficiencies and duplication of effort;
poor perception/reputation of enterprise IT

9 Lack of shared understanding by IT and business units that
affects IT service delivery and projects
Lack of senior management support; failure of IT staff to
understand business processes and how IT services can
benefit those process; failure of business staff to understand IT
processes; inability to identify and document business
processes; mutual disrespect
Inability to use IT to strategically support institutional mission
(admissions, research, institutional operations, outreach to the
community); inability to enhance, improve, or increase the
provision of enterprise IT operations to support business,
academic, or research processes; increased cost for providing
IT services; failure of business process reengineering; distrust
between organizational units

10 IT projects not managed in terms of budget, scheduling, scope, Lack of senior management support; complexity of IT systems;
priority, and delivery complexity of cross-institutional IT projects; failure to assign a
project manager or implement project management
methodologies when engaging in IT projects; failure to inform
stakeholders about project changes
Poor governance of enterprise IT; inability to use IT to
strategically support institutional mission (admissions,
research, institutional operations, outreach to the community);
inability to enhance, improve, or increase the provision of
enterprise IT operations; increased cost for providing IT
services; failure of IT projects; poor perception/reputation of
enterprise IT

11 No process for identifying and allocating costs attributable to IT Lack of senior management support; complexity of IT systems;
services complexity of institutional cost-allocation process; inability to
calculate TCO of providing IT services; failure to account for
indirect costs such as software license and upgrade fees
Poor governance of enterprise IT; inability to use IT to
strategically support institutional mission (admissions,
research, institutional operations, outreach to the community);
inability to enhance, improve, or increase the provision of
enterprise IT operations; increased cost for providing IT
services

12 No process for measuring and managing IT performance
Lack of senior management support; complexity of IT
infrastructure; lack of funding and tools for performance
management or metrics; insufficient staff to attend to
performance management; failure to inform institutional
audience about performance management
Poor governance of enterprise IT; inability to use IT to
strategically support institutional mission (admissions,
research, institutional operations, outreach to the community);
inability to enhance, improve, or increase the provision of
enterprise IT operations; increased cost for providing IT
services
13 No process for managing IT problems to ensure they are
adequately resolved or for investigating causes to prevent
recurrence
14 Incorrect information on public-facing institutional resources
(e.g., website, social media streams)
15 Critical institutional business and academic data (e.g.,
admissions, business operations, research, etc.) not available
when needed
16 Loss of access—for an unacceptable period of time—to IT
systems and services hosted by another organization
17 IT communications and networks not protected from complete
or intermittent failure
Lack of senior management support; complexity of IT
infrastructure; lack of funding and tools for service
management; insufficient staff to attend to service
management; failure to inform institutional audience about
support processes; insufficiently skilled staff to investigate and
resolve problems
Information on public websites out of date; internal posting
mistakes made by staff; intentional or unintentional vandalism
Hardware failure; software failure; data deleted; facility
destroyed; equipment lost/misplaced/stolen; lack of adequate
backups; lack of source documents or input files; data on
backups corrupted; backups unavailable (e.g., lost, stolen,
missing); failure to make appropriate arrangements with
vendors to provide redundant or support services; lack of
understanding recovery point objective (RPO—how much data
can be lost and recreated); failure to conduct, maintain, and
periodically test backups
Internet or campus network failure; hardware failure; software
failure; data deleted; facility destroyed; equipment
lost/misplaced/stolen (can be on the part of vendor or on
institutional systems that interact with vendor systems); failure
of authentication systems (vendor or institution); failure to make
appropriate arrangements with vendors to provide redundant or
support services; failure to develop and update business
continuity strategies; failure to test business continuity plans;
establishing unrealistic recovery time objectives (RTOs); lack of
understanding of specific business objectives and critical
processes
Internet or campus network failure; hardware failure; software Loss of communications within and beyond campus network;
failure; facilities destroyed; equipment lost/misplaced/stolen; failure of IT services; failure of emergency notification services;
intentional or unintentional vandalism; lack of redundant institutional reputation loss; poor perception/reputation of IT
systems or IT resources; lack of funding to support redundancy;
failure to develop and update business continuity strategies;
failure to test business continuity plans
Unable to address user problems in IT systems in a reliable
manner; inefficient processing of support tasks (failure to gain
efficiencies by tracking similar issues); inability to identify
recurring issues; inability to prioritize support requisitions;
failure to support business and academic processes; poor
perception/reputation of IT
Institutional website unavailable for a period of time; staff and
resource costs to repair website; institutional reputation loss;
poor perception/reputation of IT
Failure of business processes (e.g., payroll, tax, HR functions);
inability to execute on institutional mission; inability to
participate in research activities; costs of outsourcing functions
for a period of time; costs to recover data; regulatory
implications for failure to meet legal or contractual
requirements; institutional reputation loss; poor
perception/reputation of IT
Failure of business, academic, or research processes; inability
to execute on institutional mission; costs of outsourcing
functions for a period of time; costs to recover data; regulatory
implications for failure to meet legal or contractual
requirements; institutional reputation loss; poor
perception/reputation of IT
18 Areas housing critical IT assets (e.g., hardware, devices, data, Smoke, biological or chemical agents, asbestos, other hazards; IT personnel unable to access an area; emergency responders
and software) or services physically inaccessible, inoperable, lock failures; intentional or unintentional vandalism; natural unable to access an area; unauthorized personnel possibly
or unsuitable for human access disaster damage; access to facility not controlled able to access the area; IT systems disabled or tampered with;
failure of IT systems; theft of critical IT systems; theft of
institutional data; unable to bring IT or other critical systems
back online; destruction of backups of software, configurations,
data, or logs

19 Failure to make adequate plans for continuation of institutional Hardware failure; software failure; data deleted; facility Unable to recover systems and data to support business,
business processes (e.g., admissions, academic, operational destroyed; equipment lost/misplaced/stolen; lack of senior academic, and research processes and activities in a timely
activities, and research) in the event of an extended IT outage management support; complexity of business processes and manner; staff unable to understand roles/responsibilities; staff
automated systems; lack of funding and tools to support and resource expense to return to operations; failure to support
continuity planning efforts; failure to update business continuity institutional mission; institutional reputation loss; poor
strategies; failure to test business continuity plans; failure to perception/reputation of IT
ensure staff understand roles and responsibilities; failure to
incorporate lessons learned into strategies; failure to address
all phases of business continuity; establishing unrealistic
recovery time objectives (RTOs); lack of understanding of
specific business objectives and critical processes; lack of
prioritization of critical business and IT processes; failure to
make appropriate arrangements with vendors to provide
redundant or support services

20 No coordinated vetting and review process for third-party or
cloud-computing services used to store, process, or transmit
institutional data
Lack of senior management support; lack of communication of Multiple redundant services in place (inefficient and costly for
central vetting process to staff/employees; failure to understand the institution); institution unaware who its business partners
the need to protect institutional data are; institution unaware if institutional data are held by third
parties; institution unable to ensure that third parties are
following compliance requirements

21 Failure to create and maintain sufficient and current policies
and standards to protect the confidentiality, integrity, and
availability of institutional data and IT resources (e.g.,
hardware, devices, data, and software)
Lack of senior management support; failure to understand
information security concepts; lack of funding to support policy
development activities; lack of funding for training; lack of user
training
Improper use of university IT systems and institutional data;
failure of users to protect critical institutional data when using IT
resources (leading to data breach); institution subject to
regulatory violations and fines; institutional reputation loss; poor
perception/reputation of IT

22 Data breach or leak of sensitive information (e.g., academic,
business, or research data)
Lack of senior management support; complex regulatory
environments impacting higher education IT systems and data
(e.g., FERPA, HIPAA, GLBA, PCI, accessibility, export
controls, etc.); complexity of IT systems, infrastructure, and
services; lack of funding for data handling training; lack of user
training; intentional user malfeasance; unintentional user error;
hacking or infiltration by third parties
Institution subject to regulatory violations and fines; costs of
breach notification; costs of redress for individuals; loss of
alumni donations; loss of research data; costs to mitigate
underlying breach event; institutional reputation loss; poor
perception/reputation of IT
23 Inadequate cyber security incident or event response
24 Failure to control logical access and incorporate principles of
least functionality to IT resources (e.g., hardware, devices,
data, and software) and systems
25 Failure to control physical access to data centers/facilities and
areas housing critical IT resources (e.g., hardware, devices,
data, and software) and systems
26 Failure to follow organized life-cycle management practices
(development, acquisition, use, transfer, repair, replacement,
destruction) for institutional IT resources and systems
27 Failure to document institutional IT infrastructure architecture Lack of senior management support; complexity of IT
and to implement change-control processes (including creating, processes and systems; lack of funding and tools to support
maintaining, and revising baseline IT system configurations)
Lack of senior management support; complexity of business
processes and automated systems; lack of funding and tools to
support security incident response; failure to update incident
response strategies; failure to test incident response plans; lack
of staff with incident response expertise
Failure to use authentication systems; failure of authentication
systems; authentication systems easily disabled; giving user
access to more systems and assets than is needed to complete
staff tasks; failure to remove access when user separates from
the institution or changes job duties; lack of staff with identity
management expertise
Failure to use physical locks; failure of physical locks; physical Unauthorized access to facilities or IT systems; IT systems
locks easily disabled; failure to use authentication systems;
failure of authentication systems; authentication systems easily IT systems; theft of institutional data
disabled
Lack of senior management support; complexity of IT
processes and systems; lack of funding and tools to support
life-cycle management efforts; failure to update documentation
when conditions change; insufficient staff to attend to task
efforts; failure to train IT staff on life-cycle management
processes (including equipment removal and destruction, data
deletion)
change-control processes and efforts; failure to update
documentation when conditions change; insufficient staff to
attend to task efforts; failure to train IT staff on change-control
processes
Unable to recover systems and data to support business,
academic, and research processes and activities in a timely
manner; staff and resource expense to return to operations
following a security incident; unable to assist in legal
investigations related to an incident; institutional reputation
loss; poor perception/reputation of IT
Unauthorized access to IT systems; IT systems disabled or
tampered with; failure of IT systems; theft of critical IT systems;
theft of institutional data; users mistakenly given more system
access than is needed to complete job duties; inability to
maintain the confidentiality of data in institutional systems
disabled or tampered with; failure of IT systems; theft of critical
Multiple redundant resources in place (inefficient and costly for
the institution); institution unaware where its IT resources and
systems are located; institution unaware how its data are
transmitted or where its data are; institution unaware if IT
resources or institutional data are held by third parties;
institution unable to ensure its own or third-party adherence to
compliance requirements; inability to support, prioritize, or
understand criticality of systems for business continuity
purposes; financial losses due to replacement of misplaced
systems; regulatory fines for improper disposal of resources
and/or data (data breach or toxic waste disposal); institutional
reputation loss
Multiple redundant resources in place (inefficient and costly for
the institution); inability to support, prioritize, or understand
criticality of systems for business continuity purposes; inability
to provide a baseline configuration of successful IT operations;
failure to understand the effect of IT configuration changes on
business system processes; multiple departments making
uncoordinated changes to IT systems; financial losses due to
duplicative changes and required rollbacks
28 Institutional IT communication and data flows not documented Lack of senior management support; complexity of IT
processes and systems; lack of funding and tools for mapping
efforts; failure to update maps/data flows when conditions
change; insufficient staff to attend to task efforts
29 Licenses and permits for institutional IT systems and software Lack of senior management support; complexity of IT
not maintained infrastructure and software licensing requirements; lack of
funding and tools for licensing management; insufficient staff to institutional reputation loss; poor perception/reputation of IT
attend to acquisition efforts; failure to train IT staff on the need
for software/hardware licenses
30 No process for ensuring institutional data remain complete, Lack of senior management support; complexity of business
accurate, and valid during input, update, and storage processes and automated systems; failure to ensure staff
understand roles and responsibilities; failure to train staff on
proper data entry; failure to incorporate automated processes
to ensure valid data entry; failure to log data changes
31 Audit logs on critical IT systems and processes not maintained Lack of senior management support; complexity of IT Unable to understand and recreate anomalies experienced in
infrastructure; lack of funding and tools for log management; IT systems; unable to perform forensic analysis
lack of space to store logs; lack of tools to review and manage
log entries; insufficient staff to attend to log management;
32 Too few IT staff to ensure continuous IT system operations Inability to recruit and retain sufficient numbers of competent IT
staff needed to support enterprise IT operations; failure to
maintain the staffing levels or skill sets needed to support
enterprise IT operations; any personal situation that renders
personnel unable to attend to institutional duties (military
service, family obligations, natural disaster, death); single
expert in field separates from employment with institution;
vendor personnel unavailable under similar scenarios as
presented above; inability to be physically present on campus
due to a natural disaster or civil disturbance
33 Users (e.g., students, faculty, staff, administrators, third parties) Lack of senior management support; complex regulatory
do not follow legal and regulatory requirements regarding the environments impacting higher education IT systems and data
operation/use of IT systems and the use of institutional data (e.g., FERPA, HIPAA, GLBA, PCI, accessibility, export
controls, etc.); lack of funding for training; lack of user training
Multiple redundant services/communication flows in place
(inefficient and costly for the institution); institution unaware
how its data are transmitted or where its data are; institution
unaware if institutional data are held by third parties; institution
unable to ensure its own or third-party adherence to
compliance requirements; inability to support, prioritize, or
understand criticality of systems for business continuity
purposes
Operation of IT resources and software in a manner that
violates contractual terms; institution subject to contract liability;
Failure of business, academic, or research processes; inability
to execute on institutional mission; costs of outsourcing
functions for a period of time; costs to recover data; regulatory
implications for failure to meet legal or contractual
requirements; loss of integrity in automated systems
Inability to enhance, improve, or increase the provision of
enterprise IT operations; unable to operate/recover systems
and data to support to support business, academic, and
research processes and activities; overreliance on key staff;
low employee morale; increased employee turnover; failure to
support institutional mission
Improper use of university IT systems and institutional data;
failure of users to protect critical institutional data when using IT
resources (leading to data breach); institution subject to
regulatory violations and fines; institutional reputation loss
34 Users (e.g., students, faculty, staff, administrators, third parties) Lack of senior management support; complex university Improper use of university IT systems and institutional data;
do not follow university policies regarding the operation/use of policies impacting higher education IT systems and data; lack failure of users to protect critical institutional data when using IT
IT systems and the use of institutional data of funding for training; lack of user training resources (leading to data breach); institution subject to
regulatory violations and fines; institutional reputation loss
Likelihood Impact Velocity (Horizon) Score Notes
0

0
0

0
0

0
0

0
0

0
0

0
0
 Acknowledgments
 
The 2015 EDUCAUSE IT GRC Advisory Panel contributed their vision and significant talents to the conception, creation, and
completion of the risk register:
Cathy  Bates, Associate Vice Chancellor and Chief Information Officer, Appalachian State University
Niraj Bhagat, Environmental Health & Safety and Information Systems Manager, Southern Methodist University
Michael Chapple, Senior Director for IT Service Delivery, University of Notre Dame
Mike Corn, Deputy Chief Information Officer, Brandeis University
Elias Eldayrie, Vice President and Chief Information Officer, University of Florida
Merri Beth Lavagnino, Chief Risk Officer, Indiana University
Susie McCormick, Assistant Vice President for IT Budget and Administration, University of Virginia
Steve McDonald, General Counsel, Rhode Island School of Design
Peter Murray, Chief Information Officer and Vice President for Information Technology, University of Maryland, Baltimore
Gary Nimax, Assistant Vice President for Compliance and ERM, University of Virginia
Carol Rapps, Audit Manager, Information Systems, University of Texas, San Antonio
Marty Ringle, Chief Information Officer, Reed College
Cheryl Washington, Chief Information Security Officer, University of California, Davis
Madelyn Wessel, General Counsel, Virginia Commonwealth University
 
Many others donated their time and talents to this project. Contributors included individuals and members of several
organizations: David Escalante, Boston College; the EDUCAUSE Higher Education Information Security Council (HEISC); the
EDUCAUSE IT Accessibility Constituent Group; the National Association of College and University Attorneys (NACUA); the
Association of College and University Auditors (ACUA); the University Risk Management and Insurance Association (URMIA); a
the National Association of College and University Business Officers (NACUBO).
 
Special thanks go to the Association of College and University Auditors, which contributed IT risks from its Risk Dictionary to t
effort.
 
EDUCAUSE staff members who contributed to this effort are Joanna Grama, Jon Lang, Susan Nesbitt, and Valerie Vogel.
 e conception, creation, and

sity
hodist University

nia

ty of Maryland, Baltimore

nd members of several
ecurity Council (HEISC); the
y Attorneys (NACUA); the
urance Association (URMIA); and

ks from its Risk Dictionary to this

sbitt, and Valerie Vogel.