Published on Information Security at UVA (https://security.virginia.edu)

Home > Information Security Risk Management Program

Information Security Risk Management (IS-RM) Program

Access a PDF of the IS-RM Assessment by clicking here! [1]

IS-RM Assessment - General

The University of Virginia is committed to preventing incidents that may impact the confidentiality, integrity, and availability of information and IT resources.  In accordance with the Information Security of University Technology Resources [2] policy, all units and departments are required to complete an annual information security risk assessment (IS-RM) to evaluate the effectiveness of their IT security controls within their environments.  This assessment is intended to guide your department in updating practices and documentation such as the business continuity and disaster recovery plans.

We are in the second year since the risk assessment became an annual requirement.  We received a lot of excellent feedback during last year’s risk assessment, and have implemented significant process improvements.

What is new this year?

  • The assessment is now behind NetBadge.
  • Assessments must not be edited by more than one person.
  • Once affirmed, no changes may be made to the assessement.
  • If you would like a “copy and paste friendly” version of last year’s assessment data for your unit, please contact is-rm@virginia.edu [3].  Bear in mind the survey format has changed and the content will not align with the current version.
  • The assessment is designed to be completed during one session; please be prepared to complete the survey once it is begun or data loss will occur. Note:  You may return to complete the assessment later, but you must use the same link and same device for each edit session.

how do i know if i should complete THE IS-RM ASSESSMENT?

If you are the designated technology representative for your unit or department, you will receive an email from the UVA Information Security IS-RM team that will contain a Qualtrics survey link directing you to this year's assessment.   Although we do our best to provide links to all unit areas and representatives, it is always possible to miss an updated area or point of contact.  However, each business unit is responsible for ensuring that a risk assessment is completed annually.  If you have not received such an email by the end of January 2019 and your area is not covered within another area’s assessment, please contact us at IS-RM@virginia.edu [4].  Please note that this year, we are have put the assessment behind Netbadge.  Doing so has enabled us to use one general link as opposed to a link specific to each unit.  By distributing the IS-RM this way, you are also enabled to provision as many IS-RM Assessments as you need for the groups that you support.

HOw long will i have to complete the assessment?

The assessment links will be sent out in January 2019.  We will expect a response by the end of March 2019.

WHY USE QUALTRICS?

Qualtrics allows us to manage these assessments in a scalable way across a large number of departments.  It also gives us the ability to prioritize information about potential risks and focus on areas where follow-up is most needed.

CAN I HAVE A COPY OF THE QUESTIONS TO REFERENCE WHILE PLANNING OUT MY SUBMISSION?

The PDF copy of the assessment is available here and at the top of this page [1].  Plese note that the PDF copy of this assessment will have some Qualtrics' piped text phrases (e.g. field:name).  In the live assessment, these strings of text will be replaced by the forms and fields they are pulling from.

CAN I DELEGATE AUTHORITY TO SOMEONE ELSE IN MY DEPARTMENT TO ANSWER A SPECIFIC QUESTION?

We are encouraging those who receive the assessment links to work together with other staff in your areas as necessary to complete the assessment as a single submission.    

IS-RM Assessment - Usability

HOW DO I SAVE MY ANSWERS?

Because the assessment is in Qualtrics, your answers are saved as soon as you enter them, without having to advance to the next page.

HOW DO I GET ACCESS TO PREVIOUS SUBMISSIONS (YEARS)?

To receive a text copy of your previous year’s submission, please reach out to us by emailing IS-RM@virginia.edu [5].

CAN I SAVE A LOCAL COPY?

Unfortunately, no.  Once your department head approves the assessment, we will be contacting you in order to provide you a PDF copy of the completed assessment.  If you would like to receive a copy before the approval of your department head, please contact us IS-RM@virginia.edu [6].

I HAVE MULTIPLE DEPARTMENTS OR ORGANIZATIONAL UNITS; CAN I SUBMIT ONE ASSESSMENT TO COVER MULTIPLE ORGANIZATIONAL UNITS?

Yes.  In the Organization Description block, you can specify to which units you would like the assessment to apply.  We do ask that all of the units covered by the assessment share the same department head for approval and audit purposes.      

CAN MULTIPLE LSP’S WORK ON THE SAME IS-RM ASSESSMENT?

Yes, but with caveats.  Avoid working on an assessment simultaneously with another person, or even in different tabs on your own computer.  If you edit an assessment that is already open in another browser window or on another’s computer, each of the assessments will automatically be saved by Qualtrics, creating fragmented assessments, and answers will be overwritten or deleted.  Be very careful to coordinate with others when you share links to ensure that you do not lose data. 

CAN I edit MULTIPLE ASSESSMENTS AT THE SAME TIME?

Yes, but it is not recommended due to the risk of opening the same survey more than once.  They must be different assessments, each followed from a different link, and in their own browser window or tab. 

CAN I HAVE MULTIPLE IS-RM ASSESSMENTS IN PROGRESS?

Yes.  We suggest using bookmarks to keep track of your assessments.  Alternatively, use the Table of Contents to navigate back to the Organization Description block. 

WHAT DO I DO IF I SUBMITTED THE IS-RM ASSESSMENT TOO EARLY OR I HAVE SOME CHANGES TO MAKE?

The assessment has a few review opportunity pages which encourage you to go over your answers prior to submission.  If you need to change your answers, please contact us at IS-RM@virginia.edu [5]

I AM NOT SURE IF MY ANSWERS ARE CORRECT.  CAN UNIVERSITY INFORMATION SECURITY (INFOSEC) REVIEW MY ANSWERS BEFORE I SUBMIT THE ASSESSMENT?

Yes. However, we believe this will be unnecessary, because after you submit your assessment, we will review it, and then let you know when it's acceptable for you to send it to your department head for approval.

IS-RM Assessment - Navigation

IS THERE A TABLE OF CONTENTS OPTION FOR NAVIGATING MY ASSESSMENT?

Yes.  The Table of Contents can be accessed by clicking on: https://security.virginia.edu/system/files/Qualtrics%20Hamburger%20Icon.png.  By selecting a block from the Table of Contents, you can easily navigate to different sections of the assessment.

WHAT IS A "BLOCK"?

A block is a set of related questions.  You can view the list of blocks for the IS-RM assessment by looking at the Table of Contents.

WHAT DOES A CHECK MARK NEXT TO A BLOCK MEAN?

A check mark next to a block means that you have completed every question that was displayed to you.

HOW DO I KNOW WHEN MY ASSESSMENT IS COMPLETE?

If every block in the Table of Contents has a check mark next to it, then you have completed every section of the assessment.

 

Source URL: https://security.virginia.edu/riskmanagement

Links
[1] https://security.virginia.edu/system/files/netbadge/IS-RM%20Assessment%202018_version%2017Jan2019.pdf
[2] https://uvapolicy.virginia.edu/policy/IRM-004
[3] mailto:is-rm@virginia.edu
[4] mailto: contact%20us%20at%20IS-RM@virginia.edu
[5] mailto:IS-RM@virginia.edu
[6] mailto:contact%20us%20IS-RM@virginia.edu