Search Information Security site

 

Information Security Risk Management (IS-RM) Program

IS-RM Assessment - General

The University of Virginia is committed to preventing incidents that may impact the confidentiality, integrity, and availability of information and IT resources.  In accordance with the Information Security of University Technology Resources policy, all units and departments are required to complete an annual information security risk assessment (IS-RM) to evaluate the effectiveness of their IT security controls within their environments.  This assessment is intended to guide your department in updating practices and documentation such as the business continuity and disaster recovery plans.

We are in the second year since the risk assessment became an annual requirement.  We received a lot of excellent feedback during last year’s risk assessment, and have implemented significant process improvements.

how do i know if i should complete THE IS-RM ASSESSMENT?

If you are the designated technology representative for your unit or department, you will receive an email from the UVA Information Security IS-RM team that will contain a Qualtrics survey link directing you to the assessment that is specific to your unit.   Although we do our best to provide links to all unit areas and representatives, it is always possible to miss an updated area or point of contact.  However, each business unit is responsible for ensuring that a risk assessment is completed annually.  If you have not received such an email by the end of January 2019 and your area is not covered within another area’s assessment, please contact us at IS-RM@virginia.edu.

HOw long will i have to complete the assessment?

The assessment links will be sent out in January 2019.  We will expect a response by the end of March 2019.

WHY USE QUALTRICS?

Qualtrics allows us to manage these assessments in a scalable way across a large number of departments.  It also gives us the ability to prioritize information about potential risks and focus on areas where follow-up is most needed.

CAN I HAVE A COPY OF THE QUESTIONS TO REFERENCE WHILE PLANNING OUT MY SUBMISSION?

PDF copies of the coming year’s assessment will be ready by January 2019 on this webpage.  Please check back with us then!

CAN I DELEGATE AUTHORITY TO SOMEONE ELSE IN MY DEPARTMENT TO ANSWER A SPECIFIC QUESTION?

We are encouraging those who receive the assessment links to work together with other staff in your areas as necessary to complete the assessment as a single submission.    

IS-RM Assessment - Usability

HOW DO I SAVE MY ANSWERS?

Because the assessment is in Qualtrics, your answers are saved as soon as you enter them, without having to advance to the next page.

HOW DO I GET ACCESS TO PREVIOUS SUBMISSIONS (YEARS)?

To receive a text copy of your previous year’s submission, please reach out to us by emailing IS-RM@virginia.edu.

CAN I SAVE A LOCAL COPY?

Unfortunately, no.  Once your department head approves the assessment, we will be contacting you in order to provide you a PDF copy of the completed assessment.  If you would like to receive a copy before the approval of your department head, please contact us IS-RM@virginia.edu.

I HAVE MULTIPLE DEPARTMENTS OR ORGANIZATIONAL UNITS; CAN I SUBMIT ONE ASSESSMENT TO COVER MULTIPLE ORGANIZATIONAL UNITS?

Yes.  In the Organization Description block, you can specify to which units you would like the assessment to apply.  We do ask that all of the units covered by the assessment share the same department head for approval and audit purposes.      

CAN MULTIPLE LSP’S WORK ON THE SAME IS-RM ASSESSMENT?

Yes, but with caveats.  Avoid working on an assessment simultaneously with another person, or even in different tabs on your own computer.  If you edit an assessment that is already open in another browser window or on another’s computer, each of the assessments will automatically be saved by Qualtrics, creating fragmented assessments, and answers will be overwritten or deleted.  Be very careful to coordinate with others when you share links to ensure that you do not lose data. 

CAN I edit MULTIPLE ASSESSMENTS AT THE SAME TIME?

Yes, but it is not recommended due to the risk of opening the same survey more than once.  They must be different assessments, each followed from a different link, and in their own browser window or tab. 

CAN I HAVE MULTIPLE IS-RM ASSESSMENTS IN PROGRESS?

Yes.  We suggest using bookmarks to keep track of your assessments.  Alternatively, use the Table of Contents to navigate back to the Organization Description block. 

WHAT DO I DO IF I SUBMITTED THE IS-RM ASSESSMENT TOO EARLY OR I HAVE SOME CHANGES TO MAKE?

The assessment has a few review opportunity pages which encourage you to go over your answers prior to submission.  If you need to change your answers, please contact us at IS-RM@virginia.edu

I AM NOT SURE IF MY ANSWERS ARE CORRECT.  CAN UNIVERSITY INFORMATION SECURITY (INFOSEC) REVIEW MY ANSWERS BEFORE I SUBMIT THE ASSESSMENT?

Yes. However, we believe this will be unnecessary, because after you submit your assessment, we will review it, and then let you know when it's acceptable for you to send it to your department head for approval.

IS-RM Assessment - Navigation

IS THERE A TABLE OF CONTENTS OPTION FOR NAVIGATING MY ASSESSMENT?

Yes.  The Table of Contents can be accessed by clicking on: https://security.virginia.edu/system/files/Qualtrics%20Hamburger%20Icon.png.  By selecting a block from the Table of Contents, you can easily navigate to different sections of the assessment.

WHAT IS A "BLOCK"?

A block is a set of related questions.  You can view the list of blocks for the IS-RM assessment by looking at the Table of Contents.

WHAT DOES A CHECK MARK NEXT TO A BLOCK MEAN?

A check mark next to a block means that you have completed every question that was displayed to you.

HOW DO I KNOW WHEN MY ASSESSMENT IS COMPLETE?

If every block in the Table of Contents has a check mark next to it, then you have completed every section of the assessment.

 

Report an Information
Security Incident

Please report any level of incident, no matter how small. The Information
Security Office will evaluate the report and provide a full investigation.

Complete Report Form