IT Risk Register Introduction

 
Risk management is perceived as being hard to do, and institutions struggle to know where to begin. In fact, a 2014 ECAR stud
that 81% of colleges and universities do not consider IT risk in their institutional strategic plans.1 Nonetheless, risk managemen
important process that can help institutions identify, analyze, and prioritize the risks that may impact their ability to meet strat
goals.
 
Traditional IT risk-management processes start with risk identification, in which institutions inventory their IT systems and data
create an individualized list of the risks faced by each system. This can be a significant undertaking, often made more difficult b
institutional culture and resource constraints. Because the risk inventory itself involves so much effort, the next step in the pro
addressing those risks at a strategic level—often seems so daunting that many institutions don’t do it. Nevertheless, strategica
addressing IT risk is a vital part of risk management. Rather than simply identifying risks related to physical inventories of asset
isolation, a strategic approach focuses on IT’s impact (or lack thereof) on institutional goals.

The EDUCAUSE IT GRC Advisory Group created this IT Risk Register for institutional IT departments to get their strategic IT risk-
management programs off the ground. The IT Risk Register is a sortable checklist that identifies common strategic IT risks and
catalogues those risks according to common risk types and IT domains. Institutions can use this list to jumpstart or improve the
IT risk-management programs. For instance, if an institution is just starting a risk-management program, the register can be use
pre-populate lists of risks for the institution to consider in its analysis. For an institution that already has a risk-management pr
the register can be consulted to make sure that the institution has not inadvertently omitted any key risks.
 
This IT Risk Register supplements an institution's own thoughtful IT risk-management process. Institutions should note that the
risks presented in this register is not exhaustive. Instead, it is a starting point for considering how to look at strategic risks with
organization. Not all risks will apply to all institutions. In addition, this risk register is not a risk-assessment tool or template. It
not prioritize risks against one another, nor does it spell out a particular method for evaluating the costs and benefits of addre
the identified risks. It is hoped, however, that the examples provided in this list will lead higher education institutions toward a
strategic and holistic appreciation of IT risk and an ability to integrate IT risk into the broader institutional risk profile.
 
---------------------------------
1
See Bichsel, Jacqueline, and Patrick Feehan. Getting Your Ducks in a Row: IT Governance, Risk, and Compliance Programs in Hi
Education. ECAR, June 2014. Available from http://www.educause.edu/library/resources/it-governance-risk-and-compliance-h
education

© EDUCAUSE 2015
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License (CC BY-NC-SA

Brought to You by the EDUCAUSE IT Governance, Risk, and Compliance Program

This risk register and the member advisory council that created it are part of the EDUCAUSE IT Governance, Risk, and Complian
program. The program provides resources that help IT professionals define and implement IT GRC activities on their campuses
more and view additional resources at www.educause.edu/it-grc

 
 
 
In fact, a 2014 ECAR study found
etheless, risk management is an
their ability to meet strategic

their IT systems and data and

ften made more difficult by
t, the next step in the process—
. Nevertheless, strategically
ysical inventories of assets in

get their strategic IT risk-

mon strategic IT risks and
jumpstart or improve their own
m, the register can be used to
has a risk-management program,
risks.
tions should note that the list of
ook at strategic risks within an IT
ment tool or template. It does
sts and benefits of addressing
tion institutions toward a more
onal risk profile.

ompliance Programs in Higher

ce-risk-and-compliance-higher-

onal License (CC BY-NC-SA 4.0).

nance, Risk, and Compliance

tivities on their campuses. Learn
How to Use
 
Items in this IT Risk Register can be sorted by risk type, which is based on the consequences that an institution can expect to fa
were realized. The following risk types are used in this register:
Compliance: Risks that relate to a potential violation of a law or regulation or an institutional policy or requirement
Financial: Risks that impact the institution’s financial resources or financial operations
System/Service/IT Life Cycle: Risks that impact the provisioning of IT systems and services
Operational: Risks that impact the day-to-day operation of IT systems and services
Reputational: Risks that negatively affect institutional image, standing, or character
Strategic: Risks that may have a lasting impact on an institution’s ability to pursue its overarching mission or strategic goals
 
Risks in the IT Risk Register can also be sorted by IT domain. For the most part, the IT domain categories used in this register co
directly to the IT domains1 used in the EDUCAUSE Core Data Service.2 This mapping enables institutions that complete the CDS
year to cross-reference risks on this list with data entered in CDS for their own risk-management activities. The following IT dom
are used in this register:
Administration and Management of IT (CDS Module 1)
IT Support Services (CDS Module 2)
Educational Technology Services (CDS Module 3)
Research Computing Services (CDS Module 4)
Data Centers (CDS Module 5)
Communications Infrastructure Services (CDS Module 6)
Enterprise Infrastructure and Services (Used throughout CDS)
Information Security (CDS Module 7)
Identity Management (CDS Module 7)
Information Systems and Applications (CDS Module 8)
Business Continuity (IT domain area added by the IT GRC Advisory Panel)
 
The risks are listed in the register in the following ways:
Worksheet tab called “Risk List Unsorted.” This lists of all of the risks in the IT Risk Register, with notes about the causes and im
risk. In some instances, notes and source information for a particular risk have been included on this tab for further reference.
Worksheet tab called “Sort by Risk Type.” This lists of all of the risks in the IT Risk Register, sorted by type. An institution that w
only “compliance” risks, for example, could filter the list according to the “compliance” column.  
Worksheet tab called “Sort by IT Domain.” This lists of all of the risks in the IT Risk Register, sorted by IT domain (using the defi
by the Core Data Service). An institution that wants to view only “identity management” risks, for example, could filter the list
“identity management” column.  
A notes column is included on the “Sort by Risk Type” and “Sort by IT Domain” worksheets for institutions to add their own no
listed risk.
Institutions may add their own columns and rows on each sheet to customize the register as necessary.
---------------------------------
1
See EDUCAUSE Core Data Service IT domain definitions, available at: http://www.educause.edu/research-and-publications/re
data-service/about-core-data-service/it-domain-definitions
2
EDUCAUSE Core Data Service, available at: http://www.educause.edu/research-and-publications/research/core-data-service
nstitution can expect to face if the risk

r requirement

sion or strategic goals

ies used in this register correspond

ns that complete the CDS survey each
vities. The following IT domain categories

s about the causes and impacts of each

tab for further reference.
ype. An institution that wants to view

IT domain (using the definitions provided

ample, could filter the list according to the

tions to add their own notes related to a

ry.

earch-and-publications/research/core-

search/core-data-service
ID
No. Risk Statement
1 IT governance and priorities not aligned with institutional
priorities
2 Failure to designate leadership (e.g., an individual or
individuals) for institutional oversight and strategic direction for
IT operations
3 Failure to designate leadership (e.g., an individual or
individuals) for institutional oversight and strategic direction for operations
information security activities
4 No succession plan for key institutional IT leaders (e.g., CIO,
CISO, CTO, CPO, etc.)
5 Relevant stakeholders not included in important IT investment
decision-making processes (e.g., new applications, priorities,
technologies)
6 IT assets (e.g., hardware, devices, data, and software) and
systems not prioritized based on their classification, criticality,
and institutional value
Risk Causes
IT failure to understand institutional strategy; lack of
institutional support for IT operations
Lack of institutional support for IT operations
Lack of institutional support for IT and information security
Lack of institutional support for IT operations; human nature
not to plan for succession activities; lack of qualified internal
staff for succession planning
Lack of senior management support; stakeholders fail to
understand IT investment decisions (or provision of IT services decision making; poor governance of enterprise IT; inability to
in general); stakeholders cannot be identified
Lack of senior management support; complexity of business
processes and automated systems; lack of funding and tools
for prioritization efforts; failure to update prioritization when
conditions change; stakeholder failure to agree on resource
prioritization
Risk Impacts
Poor governance of enterprise IT; inability to use IT to
strategically support institutional mission (admissions,
research, institutional operations, outreach to the community);
inability to enhance, improve, or increase the provision of
enterprise IT operations; inefficiencies and duplication of
effort; poor perception/reputation of enterprise IT
Poor governance of enterprise IT; inability to use IT to
strategically support institutional mission (admissions,
research, institutional operations, outreach to the community);
inability to enhance, improve, or increase the provision of
enterprise IT operations; creation of fiefdoms leading to
inefficiencies and duplication of effort
Poor governance of enterprise information security efforts;
inability to enhance, improve, or increase the effectiveness of
institutional information security; data breaches; failure to meet
regulatory compliance requirements; regulatory fines and
expenses
Leadership void in the event of separation of a key IT leader
from the institution
Uses of university IT systems that contravene good investment
use IT to strategically support institutional mission
(admissions, research, institutional operations, outreach to the
community); inability to enhance, improve, or increase the
provision of enterprise IT operations; inefficiencies and
duplication of effort; increased cost in providing IT services;
poor perception/reputation of enterprise IT
Multiple redundant resources in place (inefficient and costly for
the institution); lack of institutional knowledge about where its
IT resources, systems, and data are located; inability to
implement business continuity plans to support institutional
operations; financial losses due to replacement of nonpriority
systems; inability to execute strategic projects
 7 IT assets (e.g., hardware, devices, data, and software),
systems, and services outdated, do not support institutional
needs (admissions, academic, business operations, research,
etc.)
Complex and inflexible institutional enterprise IT architecture
(not scalable for current needs); failure to adopt new IT
infrastructure and/or services in a timely manner to support
institutional needs
Poor governance of enterprise IT; inability to use IT to
strategically support institutional mission (admissions,
research, institutional operations, outreach to the community);
inability to provide needed business, academic, research
services; inability to enhance, improve, or increase the
provision of enterprise IT operations; increased cost in
providing IT services; failure to support user IT needs; poor
perception/reputation of enterprise IT

8 IT management aims and directions not communicated to
critical user areas
Lack of senior management support; failure to understand IT
management priorities; failure to prioritize communications to
critical user areas; lack of multiple communication channels
(e.g., e-mail, print media, other electronic media) to convey
information to user areas; failure of users to pay attention
Uses of university IT systems that contravene management
aims; poor governance of enterprise IT; inability to use IT to
strategically support institutional mission (admissions,
research, institutional operations, outreach to the community);
inability to enhance, improve, or increase the provision of
enterprise IT operations; inefficiencies and duplication of effort;
poor perception/reputation of enterprise IT

9 Lack of shared understanding by IT and business units that
affects IT service delivery and projects
Lack of senior management support; failure of IT staff to
understand business processes and how IT services can
benefit those process; failure of business staff to understand IT
processes; inability to identify and document business
processes; mutual disrespect
Inability to use IT to strategically support institutional mission
(admissions, research, institutional operations, outreach to the
community); inability to enhance, improve, or increase the
provision of enterprise IT operations to support business,
academic, or research processes; increased cost in providing
IT services; failure of business process reengineering; distrust
between organizational units

10 IT projects not managed in terms of budget, scheduling,
scope, priority, and delivery
Lack of senior management support; complexity of IT systems;
complexity of cross-institutional IT projects; failure to assign a
project manager or implement project management
methodologies when engaging in IT projects; failure to inform
stakeholders about project changes
Poor governance of enterprise IT; inability to use IT to
strategically support institutional mission (admissions,
research, institutional operations, outreach to the community);
inability to enhance, improve, or increase the provision of
enterprise IT operations; increased cost in providing IT
services; failure of IT projects; poor perception/reputation of
enterprise IT

11 No process for identifying and allocating costs attributable to IT Lack of senior management support; complexity of IT systems;
services complexity of institutional cost-allocation process; inability to
calculate TCO of providing IT services; failure to account for
indirect costs such as software license and upgrade fees
Poor governance of enterprise IT; inability to use IT to
strategically support institutional mission (admissions,
research, institutional operations, outreach to the community);
inability to enhance, improve, or increase the provision of
enterprise IT operations; increased cost in providing IT
services

12 No process for measuring and managing IT performance
Lack of senior management support; complexity of IT
infrastructure; lack of funding and tools for performance
management or metrics; insufficient staff to attend to
performance management; failure to inform institutional
audience about performance management
Poor governance of enterprise IT; inability to use IT to
strategically support institutional mission (admissions,
research, institutional operations, outreach to the community);
inability to enhance, improve, or increase the provision of
enterprise IT operations; increased cost in providing IT
services
13 No process for managing IT problems to ensure they are
adequately resolved or for investigating causes to prevent
recurrence
14 Incorrect information on public-facing institutional resources
(e.g., website, social media streams)
15 Critical institutional business and academic data (e.g.,
admissions, business operations, research, etc.) not available
when needed
16 Loss of access to IT systems and services hosted by another
organization, for an unacceptable period of time
17 IT communications and networks not protected from complete
or intermittent failure
Lack of senior management support; complexity of IT
infrastructure; lack of funding and tools for service
management; insufficient staff to attend to service
management; failure to inform institutional audience about
support processes; insufficiently skilled staff to investigate and
resolve problems
Information on public websites out of date; internal posting
mistakes made by staff; intentional or unintentional vandalism
Numerous causes, for example, hardware failure, software
failure, data deleted, facility destroyed, equipment
lost/misplaced/stolen, etc.; lack of adequate backups; lack of
source documents or input files; data on backups corrupted;
backups unavailable (e.g., lost, stolen, missing); failure to
make appropriate arrangements with vendors to provide
redundant or support services; lack of understanding recovery
point objective (RPO, i.e., how much data can be lost and
recreated); failure to conduct, maintain, and periodically test
backups
Numerous causes, for example, Internet or campus network
failure, hardware failure, software failure, data deleted, facility
destroyed, equipment lost/misplaced/stolen, etc. (can be on
the part of vendor or on institutional systems that interact with
vendor systems); failure of authentication systems (vendor or
institution); failure to make appropriate arrangements with
vendors to provide redundant or support services; failure to
develop and update business continuity strategies; failure to
test business continuity plans; establishing unrealistic recovery
time objectives (RTOs); lack of understanding of specific
business objectives and critical processes
Numerous causes, for example, Internet or campus network
failure, hardware failure, software failure, facilities destroyed,
equipment lost/misplaced/stolen, intentional or unintentional
vandalism, etc.; lack of redundant systems or IT resources;
lack of funding to support redundancy; failure to develop and
update business continuity strategies; failure to test business
continuity plans
Unable to address user problems in IT systems in a reliable
manner; inefficient processing of support tasks (failure to gain
efficiencies due to tracking of similar issues); inability to
identify recurring issues; inability to prioritize support
requisitions; failure to support business and academic
processes; poor perception/reputation of IT
Institutional website unavailable for a period of time; staff and
resource costs to repair website; institutional reputation loss;
poor perception/reputation of IT
Failure of business processes (e.g., payroll, tax, HR functions);
inability to execute on institutional mission; inability to
participate in research activities; costs of outsourcing functions
for a period of time; costs to recover data; regulatory
implications for failure to meet legal or contractual
requirements; institutional reputation loss; poor
perception/reputation of IT
Failure of business, academic, or research processes; inability
to execute on institutional mission; costs of outsourcing
functions for a period of time; costs to recover data; regulatory
implications for failure to meet legal or contractual
requirements; institutional reputation loss; poor
perception/reputation of IT
Loss of communications within and beyond campus network;
failure of IT services; failure of emergency notification
services; institutional reputation loss; poor
perception/reputation of IT
18 Areas housing critical IT assets (e.g., hardware, devices, data, Smoke, biological or chemical agents, asbestos, other IT personnel unable to access an area; emergency responders
and software) or services physically inaccessible, inoperable, hazards; security lock failures; intentional or unintentional unable to access an area; unauthorized personnel possibly
or unsuitable for human access vandalism; natural disaster damage; access to facility not able to access the area; IT systems disabled or tampered with;
controlled failure of IT systems; theft of critical IT systems; theft of
institutional data; unable to bring IT or other critical systems
back online; destruction of backups of software, configurations,
data, or logs

19 Failure to make adequate plans for continuation of institutional
business processes (e.g., admissions, academic, operational
activities, and research) in the event of an IT outage for an
extended period of time
Numerous causes, for example, hardware failure, software Unable to recover systems and data to support to support
failure, data deleted, facility destroyed, equipment business, academic, and research processes and activities in
lost/misplaced/stolen, etc.; lack of senior management a timely manner; staff unable to understand
support; complexity of business processes and automated roles/responsibilities; staff and resource expense to return to
systems; lack of funding and tools to support continuity operations; failure to support institutional mission; institutional
planning efforts; failure to update business continuity reputation loss; poor perception/reputation of IT
strategies; failure to test business continuity plans; failure to
ensure staff understand roles and responsibilities; failure to
incorporate lessons learned into strategies; failure to address
all phases of business continuity; establishing unrealistic
recovery time objectives (RTOs); lack of understanding of
specific business objectives and critical processes; lack of
prioritization of critical business and IT processes; failure to
make appropriate arrangements with vendors to provide
redundant or support services

20 No coordinated vetting and review process for third-party or
cloud computing services used to store, process, or transmit
institutional data
Lack of senior management support; lack of communication of Multiple redundant services in place (inefficient and costly for
central vetting process to staff/employees; failure to the institution); institution unaware who its business partners
understand the need to protect institutional data are; institution unaware if institutional data are held by third
parties; institution unable to ensure that third parties are
following requisite compliance requirements

21 Failure to create and maintain sufficient and current policies
and standards to protect the confidentiality, integrity, and
availability of institutional data and IT resources (e.g.,
hardware, devices, data, and software)
Lack of senior management support; failure to understand
information security concepts; lack of funding to support policy
development activities; lack of funding for training; lack of user
training
Improper use of university IT systems and institutional data;
failure of users to protect critical institutional data when using
IT resources (leading to data breach); institution vulnerable to
regulatory violations and fines; institutional reputation loss;
poor perception/reputation of IT

22 Data breach or leak of sensitive information (e.g., academic,
business, or research data)
Lack of senior management support; complex regulatory
environments impacting higher education IT systems and data
(e.g., FERPA, HIPAA, GLBA, PCI, accessibility, export
controls, etc.); complexity of IT systems, infrastructure, and
services; lack of funding for user data handling training; lack of
user training; intentional user malfeasance; unintentional user
error; hacking or infiltration by third parties
Institution vulnerable to regulatory violations and fines; costs of
breach notification; costs of redress for individuals;
reputational loss; loss of alumni donations; loss of research
data; costs to mitigate underlying breach event; institutional
reputation loss; poor perception/reputation of IT
23 Inadequate cyber security incident or event response
24 Failure to control logical access and incorporate principles of
least functionality to IT resources (e.g., hardware, devices,
data, and software) and systems
25 Failure to control physical access to data centers/facilities,
areas housing critical IT resources (e.g., hardware, devices,
data, and software) and systems
26 Failure to follow organized life-cycle management practices
(development, acquisition, use, transfer, repair, replacement,
destruction) for institutional IT resources and systems
27 Failure to document institutional IT infrastructure architecture
and to implement change-control processes (including
creating, maintaining, and revising baseline IT system
configurations)
Lack of senior management support; complexity of business
processes and automated systems; lack of funding and tools
to support security incident response; failure to update incident
response strategies; failure to test incident response plans;
lack of staff with incident response expertise
Failure to use authentication systems; failure of authentication
systems; authentication systems easily disabled; giving user
access to more systems and assets than is needed to
complete staff tasks; failure to remove user access when user
separates from the institution or changes job duties; lack of
staff with identity management expertise
Failure to use physical locks; failure of physical locks; physical Unauthorized personnel access to facilities or IT systems; IT
locks easily disabled; failure to use authentication systems;
failure of authentication systems; authentication systems easily of critical IT systems; theft of institutional data
disabled
Lack of senior management support; complexity of IT
processes and systems; lack of funding and tools to support
life-cycle management efforts; failure to update documentation
when conditions change; insufficient staff to attend to task
efforts; failure to train IT staff on life-cycle management
processes (including equipment removal and destruction, data
deletion)
Lack of senior management support; complexity of IT
processes and systems; lack of funding and tools to support
change-control processes and efforts; failure to update
documentation when conditions change; insufficient staff to
attend to task efforts; failure to train IT staff on change-control
processes
Unable to recover systems and data to support to support
business, academic, and research processes and activities in
a timely manner; staff and resource expense to return to
operations following a security incident; unable to assist in
legal investigations related to an incident; institutional
reputation loss; poor perception/reputation of IT
Unauthorized personnel access to IT systems; IT systems
disabled or tampered with; failure of IT systems; theft of critical
IT systems; theft of institutional data; users mistakenly given
more system access then is needed to complete job duties;
inability to maintain the confidentiality of data in institution
systems
systems disabled or tampered with; failure of IT systems; theft
Multiple redundant resources in place (inefficient and costly for
the institution); institution unaware where its IT resources and
systems are located; institution unaware how its data are
transmitted or where its data are; institution unaware if IT
resources or institutional data are held by third parties;
institution unable to ensure its own or third-party adherence to
requisite compliance requirements; inability to support,
prioritize, or understand criticality of systems for business
continuity purposes; financial losses due to replacement of
misplaced systems; regulatory fines for improper disposal of
resources and/or data (data breach or toxic waste disposal);
institutional reputation loss
Multiple redundant resources in place (inefficient and costly for
the institution); inability to support, prioritize, or understand
criticality of systems for business continuity purposes; inability
to provide a baseline configuration of successful IT operations;
failure to understand the effect of IT configuration changes on
business system processes; multiple departments making
changes to IT systems without coordination; financial losses
due to duplicative changes and required rollbacks
28 Institutional IT communication and data flows not documented Lack of senior management support; complexity of IT
processes and systems; lack of funding and tools for mapping
efforts; failure to update maps/data flows when conditions
change; insufficient staff to attend to task efforts
29 Licenses and permits for institutional IT systems and software Lack of senior management support; complexity of IT
not maintained infrastructure and software licensing requirements; lack of
funding and tools for licensing management; insufficient staff
to attend to acquisition efforts; failure to train IT staff on the
need for software/hardware licenses
30 No process for ensuring institutional data remain complete, Lack of senior management support; complexity of business
accurate, and valid during input, update and storage processes and automated systems; failure to ensure staff
understand roles and responsibilities; failure to train staff on
proper data entry; failure to incorporate automated processes
to ensure valid data entry; failure to log data changes
31 Audit logs on critical IT systems and processes not maintained Lack of senior management support; complexity of IT Unable to understand and recreate anomalies experienced in
infrastructure; lack of funding and tools for log management; IT systems; unable to perform forensic analysis
lack of space to store logs; lack of tools to review and manage
log entries; insufficient staff to attend to log management;
32 IT staff insufficient to ensure continuous IT system operations Numerous causes, for example, inability to recruit and retain
sufficient numbers of competent IT staff needed to support
enterprise IT operations; failure to maintain the staffing levels
or skill sets needed to support enterprise IT operations; any
personal situation that renders personnel unable to attend to
institutional duties (military service, family obligations, natural
disaster, death); single expert in field separates from
employment with institution; vendor personnel unavailable
under similar scenarios as presented above; inability to be
physically present on campus due to natural disaster or civil
disturbances
33 Users (e.g., students, faculty, staff, administrators, third Lack of senior management support; complex regulatory
parties) do not follow legal and regulatory requirements environments impacting higher education IT systems and data
regarding the operation/use of IT systems and use of (e.g., FERPA, HIPAA, GLBA, PCI, accessibility, export
institutional data controls, etc.); lack of funding for training; lack of user training
Multiple redundant services/communication flows in place
(inefficient and costly for the institution); institution unaware
how its data are transmitted or where its data are; institution
unaware if institutional data are held by third parties; institution
unable to ensure its own or third-party adherence to requisite
compliance requirements; inability to support, prioritize, or
understand criticality of systems for business continuity
purposes
Operation of IT resources and software in a manner that
violates contractual terms, institution vulnerable to contract
liability; institutional reputation loss; poor perception/reputation
of IT
Failure of business, academic, or research processes; inability
to execute on institutional mission; costs of outsourcing
functions for a period of time; costs to recover data; regulatory
implications for failure to meet legal or contractual
requirements; loss of integrity in automated systems
Inability to enhance, improve, or increase the provision of
enterprise IT operations; unable to operate/recover systems
and data to support to support business, academic, and
research processes and activities; overreliance on key staff;
poor employee morale; increased employee turnover; failure to
support institutional mission
Improper use of university IT systems and institutional data;
failure of users to protect critical institutional data when using
IT resources (leading to data breach); institution vulnerable to
regulatory violations and fines; institutional reputation loss
34 Users (e.g., students, faculty, staff, administrators, third Lack of senior management support; complex university Improper use of university IT systems and institutional data;
parties) do not follow university policies regarding the policies impacting higher education IT systems and data; lack failure of users to protect critical institutional data when using
operation/use of IT systems and use of institutional data of funding for training; lack of user training IT resources (leading to data breach); institution vulnerable to
regulatory violations and fines; institutional reputation loss
Additional Notes Risk Citation
COBIT 5, EDM 1.01-1.03, EDM 2.01 (COBIT Risk Scenario Project Management - Best practices for IT Professionals - R. Murch, 2001
Category 1, 10)

COBIT 5, EDM 1.01, APO 1.01, APO 7.01, APO 7.02 (COBIT
Risk Scenario Category 4, 10)

COBIT 5, APO 1.01, 7.01 (COBIT Risk Scenario Category 4)

COBIT 5, EDM 1.01, EDM 1.02, APO 7.01 (COBIT Risk Scenario
Category 4, 10)

COBIT 5, EDM 2.01, APO 5.03, APO 6.02, BAI 1.03 ISACA Publication, "Risk Scenarios, using COBIT 5 for Risk."

NIST Cybersecurity Framework; ISO/IEC 27001:2013 A.8.2.1;

NIST SP 800-53 Rev. 4 CP-2, RA-2, SA-14
COBIT 5, BAI 2.01 (COBIT Risk Scenario Category 6)
COBIT 5, APO 4.03-4.06 (COBIT Rick Scenario Category 7, 20) Association of College and University Auditors (ACUA), Risk Dictionary (used with
permission)

COBIT 5, EDM 2.01, APO 1.04 (COBIT Risk Scenario Category Association of College and University Auditors (ACUA), Risk Dictionary (used with
1, 10) permission)

COBIT 5, BAI 2.01, 3.01-3.05 (COBIT Risk Scenario Category 9) ISACA Publication, "Risk Scenarios, using COBIT 5 for Risk."

COBIT 5, BAI 1.02-1.13 (COBIT Risk Scenario Category 3) Project Management - Best practices for IT Professionals - R. Murch, 2001

COBIT 5, EDM 2.01-2.03, APO 6.03, BAI 3.04 (COBIT Risk Association of College and University Auditors (ACUA), Risk Dictionary (used with
Scenario Category 3) permission)

COBIT 5,BAI 4.05 (COBIT Risk Scenario Category 6) Association of College and University Auditors (ACUA), Risk Dictionary (used with
permission)
COBIT 5, DSS 6.04-6.05 (COBIT Risk Scenario Category 6) Association of College and University Auditors (ACUA), Risk Dictionary (used with
permission)

COBIT 5, APO 1.03, APO 1.08, DSS 5.01, DSS 5.07 (COBIT ISACA Publication, "Risk Scenarios, using COBIT 5 for Risk."
Risk Scenario Category 15, 16)

COBIT 5, DSS 1.01 (COBIT Risk Scenario Category 6, 7, 8, 9)

COBIT 5, BAI 3.04, APO 10.02-10.05 (COBIT Risk Scenario

Category 11)
See also Cloud Controls Matrix Working Group, Cloud Controls
Matrix, https://cloudsecurityalliance.org/group/cloud-controls-
matrix/

NIST Cybersecurity Framework;

ISO/IEC 27001:2013 A.13.1.1, A.13.2.1;
COBIT 5, DSS 5.02 (COBIT Risk Scenario Category 16)
NIST SP 800-53 Rev. 4 AC-4, AC-17, AC-18, CP-8, SC-7
COBIT 5, DSS 1.04-1.05; DSS 4.03-4.04; DCC 5.05 (COBIT Risk
Scenario Category 5, 14, 18, 19)

NIST Cybersecurity Framework;

ISO/IEC 27001:2013 A.17.1.3;
NIST SP 800-53 Rev.4 CP-4, IR-3, PM-14;
COBIT 5, DSS 4.03-4.04 (COBIT Risk Scenario Category 5, 13)

COBIT 5, BAI 3.04, APO 10.02-10.05 (COBIT Risk Scenario

Category 11)
See also Cloud Controls Matrix Working Group, Cloud Controls
Matrix, https://cloudsecurityalliance.org/group/cloud-controls-
matrix/

NIST Cybersecurity Framework;

ISO/IEC 27001:2013 A.5.1.1;
NIST SP 800-53 Rev. 4 -1 controls from all families

COBIT 5, MEA 3.01-3.03; DSS 5.02 (Risk Scenario Category 6, Association of College and University Auditors (ACUA), Risk Dictionary (used with
12) permission)
COBIT 5, APO 13.01-13.03, DSS 5.02, DSS 5.07 (COBIT Risk Association of College and University Auditors (ACUA), Risk Dictionary (used with
Scenario Category 15, 16) permission)

NIST Cybersecurity Framework; ISO/IEC 27001:2013 A.9.1.2;

NIST SP 800-53 Rev. 4 AC-3, CM-7
COBIT 5, DSS 1.04-1.05; DSS 4.03-4.04; DCC 5.05 (COBIT Risk
Scenario Category 5, 14)

COBIT 5, DSS 1.04-1.05; DSS 4.03-4.04; DCC 5.05 (COBIT Risk Association of College and University Auditors (ACUA), Risk Dictionary (used with
Scenario Category 5, 14, 18, 19) permission)

NIST Cybersecurity Framework;

ISO/IEC 27001:2013 A.8.2.3, A.8.3.1, A.8.3.2, A.8.3.3, A.11.2.7;
NIST SP 800-53 Rev. 4 CM-8, MP-6, PE-16
COBIT 5, APO 1.01, BAI 1.01, BAI 1.02-1.13, BAI 4.01-4.05
(COBIT Risk Scenario Category 2, 8, 9)

NIST Cybersecurity Framework;

ISO/IEC 27001:2013 A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2,
A.14.2.3, A.14.2.4;
NIST SP 800-53 Rev. 4 CM-3, CM-4, SA-10;
COBIT 5, BAI 4.04-4.05, BAI 10.04-10.05 (COBIT Risk Scenario
Category 8)
NIST Cybersecurity Framework;
ISO/IEC 27001:2013 A.13.2.1;
NIST SP 800-53 Rev. 4 AC-4, CA-3, CA-9, PL-8

COBIT 5, DSS 6.02 (COBIT Risk Scenario Category 5) Association of College and University Auditors (ACUA), Risk Dictionary (used with
permission)

COBIT 5, DSS 5.07, DSS 6.05 (COBIT Risk Scenario Category

6, 15)

COBIT 5, APO 7.01-7.05 (COBIT Risk Scenario Category 4 & 5)

COBIT 5, MEA 3.01-3.03; DSS 5.02, APO 1.01, APO 7.01-7.05

(Risk Scenario Category 6, 12, 17)
ISACA, Using COBIT 5 for Risk, "Risk Scenarios," and ISACA,
COBIT 5, "Enabling Processes."
NIST Cybersecurity Framework;
ISO/IEC 27001:2013 A.8.2.3, A.8.3.1, A.8.3.2, A.11.2.7;
NIST SP 800-53 Rev. 4 MP-6;
COBIT 5, MEA 3.01-3.03; DSS 5.02, APO 1.01, APO 7.01-7.05
(Risk Scenario Category 6, 12, 17);
ISACA, Using COBIT 5 for Risk, "Risk Scenarios," and ISACA,
COBIT 5, "Enabling Processes."
 IT
e/
ic
e rv
cl Se

l
na
e

l
na
nc

cy /
fe em

io
l

c
tio
ia
ia

at

gi
nc

Li yst
pl

ra

ut

te
om

na

ra
pe

ep
S
ID No. Risk Statement

St
Fi

O
C

R
Critical institutional business and academic data (e.g., admissions, business operations, research, etc.) not available when
15 needed X X X X X
IT assets (e.g., hardware, devices, data, and software) and systems not prioritized based on their classification, criticality,
6 and institutional value X X X X
Failure to designate leadership (e.g., an individual or individuals) for institutional oversight and strategic direction for IT
2 operations X X X
Failure to designate leadership (e.g., an individual or individuals) for institutional oversight and strategic direction for
3 information security activities X X X
No coordinated vetting and review process for third-party or cloud computing services used to store, process, or transmit
20 institutional data X X X
Failure to create and maintain sufficient and current policies and standards to protect the confidentiality, integrity, and
21 availability of institutional data and IT resources (e.g., hardware, devices, data, and software) X X X

22 Data breach or leak of sensitive information (e.g., academic, business, or research data) X X X
Users (e.g., students, faculty, staff, administrators, third parties) do not follow legal and regulatory requirements regarding
33 the operation/use of IT systems and use of institutional data X X X
Users (e.g., students, faculty, staff, administrators, third parties) do not follow university policies regarding the operation/use
34 of IT systems and use of institutional data X X X

29 Licenses and permits for institutional IT systems and software not maintained X X
Failure to make adequate plans for continuation of institutional business processes (e.g., admissions, academic, operational
19 activities, and research) in the event of an IT outage for an extended period of time X X X
Relevant stakeholders not included in important IT investment decision-making processes (e.g., new applications, priorities,
5 technologies) X X

9 Lack of shared understanding by IT and business units that affects IT service delivery and projects X X

10 IT projects not managed in terms of budget, scheduling, scope, priority, and delivery X X

11 No process for identifying and allocating costs attributable to IT services X X

IT assets (e.g., hardware, devices, data, and software), systems, and services outdated, do not support institutional needs
7 (admissions, academic, business operations, research, etc.) X X

28 Institutional IT communication and data flows not documented X X

12 No process for measuring and managing IT performance X X

No process for managing IT problems to ensure they are adequately resolved or for investigating causes to prevent
13 recurrence X X

16 Loss of access to IT systems and services hosted by another organization, for an unacceptable period of time X X

17 IT communications and networks not protected from complete or intermittent failure X X

Areas housing critical IT assets (e.g., hardware, devices, data, and software) or services physically inaccessible, inoperable,
18 or unsuitable for human access X X
23 Inadequate cyber security incident or event response X X
Failure to control logical access and incorporate principles of least functionality to IT resources (e.g., hardware, devices,
24 data, and software) and systems X X
Failure to control physical access to data centers/facilities, areas housing critical IT resources (e.g., hardware, devices, data,
25 and software) and systems X X
Failure to document institutional IT infrastructure architecture and to implement change-control processes (including
27 creating, maintaining, and revising baseline IT system configurations) X X

30 No process for ensuring institutional data remain complete, accurate, and valid during input, update and storage X X

31 Audit logs on critical IT systems and processes not maintained X X

32 IT staff insufficient to ensure continuous IT system operations X X

14 Incorrect information on public-facing institutional resources (e.g., website, social media streams) X X

4 No succession plan for key institutional IT leaders (e.g., CIO, CISO, CTO, CPO, etc.) X

8 IT management aims and directions not communicated to critical user areas X

Failure to follow organized life-cycle management practices (development, acquisition, use, transfer, repair, replacement,
26 destruction) for institutional IT resources and systems X

1 IT governance and priorities not aligned with institutional priorities

 c
gi
te
ra

Notes
St

X
X

X
 y
og

&
g

s
ol

&
tin

em

ty
hn

t
e

en
pu

ui
s

e ns

ur

rit

in s yst
ce

ec
T

em

tin
om

ct

cu
En tur tio
fI

lT
vi

n S
In es stru

on
to

ag
Se
er

c a
s C

rs

B atio on
es na

ru ic
tS
en

C
an
ic ch

te

st un

i c ra

ic ti
i c io

n
en

pl a
io

s
em

or

rv ar

M
rv Inf
rv at

fra m

es
at
pp

Se ese
Se duc

C
e

In om

Ap for
ag

Se t.

rm

tit
Su

a
an

In
en

us
R

C
E

fo
at
ID No. Risk Statement

IT
M

Id
D
Users (e.g., students, faculty, staff, administrators, third parties) do not follow legal and
regulatory requirements regarding the operation/use of IT systems and use of institutional
33 data X X

Users (e.g., students, faculty, staff, administrators, third parties) do not follow university
34 policies regarding the operation/use of IT systems and use of institutional data X X

8 IT management aims and directions not communicated to critical user areas X

32 IT staff insufficient to ensure continuous IT system operations X

Lack of shared understanding by IT and business units that affects IT service delivery and
9 projects X

Failure to designate leadership (e.g., an individual or individuals) for institutional oversight

3 and strategic direction for information security activities X

Failure to designate leadership (e.g., an individual or individuals) for institutional oversight

2 and strategic direction for IT operations X

IT assets (e.g., hardware, devices, data, and software), systems, and services outdated,
do not support institutional needs (admissions, academic, business operations, research,
7 etc.) X

1 IT governance and priorities not aligned with institutional priorities X

10 IT projects not managed in terms of budget, scheduling, scope, priority, and delivery X

29 Licenses and permits for institutional IT systems and software not maintained X

11 No process for identifying and allocating costs attributable to IT services X

 4 No succession plan for key institutional IT leaders (e.g., CIO, CISO, CTO, CPO, etc.) X

Relevant stakeholders not included in important IT investment decision-making processes

5 (e.g., new applications, priorities, technologies) X

No coordinated vetting and review process for third-party or cloud computing services
20 used to store, process, or transmit institutional data X X

31 Audit logs on critical IT systems and processes not maintained X X

No process for ensuring institutional data remain complete, accurate, and valid during
30 input, update and storage X X

No process for managing IT problems to ensure they are adequately resolved or for
13 investigating causes to prevent recurrence X X

28 Institutional IT communication and data flows not documented X X

IT assets (e.g., hardware, devices, data, and software) and systems not prioritized based
6 on their classification, criticality, and institutional value X

Failure to follow organized life-cycle management practices (development, acquisition,

26 use, transfer, repair, replacement, destruction) for institutional IT resources and systems X

12 No process for measuring and managing IT performance X

Loss of access to IT systems and services hosted by another organization, for an

16 unacceptable period of time X X X X X

Areas housing critical IT assets (e.g., hardware, devices, data, and software) or services
18 physically inaccessible, inoperable, or unsuitable for human access X

17 IT communications and networks not protected from complete or intermittent failure X

Incorrect information on public-facing institutional resources (e.g., website, social media

14 streams) X
 Critical institutional business and academic data (e.g., admissions, business operations,
15 research, etc.) not available when needed X

22 Data breach or leak of sensitive information (e.g., academic, business, or research data) X

Failure to control physical access to data centers/facilities, areas housing critical IT

25 resources (e.g., hardware, devices, data, and software) and systems X

Failure to create and maintain sufficient and current policies and standards to protect the
confidentiality, integrity, and availability of institutional data and IT resources (e.g.,
21 hardware, devices, data, and software) X

23 Inadequate cyber security incident or event response X

Failure to control logical access and incorporate principles of least functionality to IT

24 resources (e.g., hardware, devices, data, and software) and systems X

Failure to document institutional IT infrastructure architecture and to implement change-

control processes (including creating, maintaining, and revising baseline IT system
27 configurations) X

Failure to make adequate plans for continuation of institutional business processes (e.g.,
admissions, academic, operational activities, and research) in the event of an IT outage
19 for an extended period of time
X
X
X
B
us
in
es
s
C
on

Notes
tin
ui
ty
X

X
X

X
Acknowledgments
 
The EDUCAUSE IT GRC Advisory Panel contributed their vision and significant talents to the conception, creation, and completi
register:
Cathy  Bates, Associate Vice Chancellor and Chief Information Officer, Appalachian State University
Niraj Bhagat, Environmental Health & Safety and Information Systems Manager, Southern Methodist University
Michael Chapple, Senior Director for IT Service Delivery, University of Notre Dame
Mike Corn, Deputy Chief Information Officer, Brandeis University
Elias Eldayrie, Vice President and Chief Information Officer, University of Florida
Merri Beth Lavagnino, Chief Risk Officer, Indiana University
Susie McCormick, Assistant Vice President for IT Budget and Administration, University of Virginia
Steve McDonald, General Counsel, Rhode Island School of Design
Peter Murray, Chief Information Officer and Vice President for Information Technology, University of Maryland, Baltimore
Gary Nimax, Assistant Vice President for Compliance and ERM, University of Virginia
Carol Rapps, Audit Manager, Information Systems, University of Texas, San Antonio
Marty Ringle, Chief Information Officer, Reed College
Cheryl Washington, Chief Information Security Officer, University of California, Davis
Madelyn Wessel, General Counsel, Virginia Commonwealth University
 
Many others donated their time and talents to this project. Contributors included individuals and members of several organiza
Escalante, Boston College; the EDUCAUSE Higher Education Information Security Council (HEISC); the EDUCAUSE IT Accessibilit
Group; the National Association of College and University Attorneys (NACUA); the Association of College and University Audito
the University Risk Management and Insurance Association (URMIA); and the National Association of College and University Bu
Officers (NACUBO).
 
Special thanks go to the Association of College and University Auditors, which contributed IT risks from its Risk Dictionary to th
 
EDUCAUSE staff members who contributed to this effort are Joanna Grama, Jon Lang, Susan Nesbitt, and Valerie Vogel.
on, creation, and completion of the risk

University

Maryland, Baltimore

mbers of several organizations: David

EDUCAUSE IT Accessibility Constituent
ege and University Auditors (ACUA);
College and University Business

m its Risk Dictionary to this effort.

and Valerie Vogel.