The Information Security Risk Management (ISRM) Assessment
The University of Virginia is committed to preventing incidents that may impact the confidentiality, integrity, and availability of information and IT resources. In accordance with the Information Security of University Technology Resources policy, all units and departments are required to complete an annual information security risk assessment (ISRM) to evaluate the effectiveness of their IT security controls within their environments.
We are in the fourth year since the risk assessment became an annual requirement. This year's assessment is focused on the CIS Top Twenty Critical Controls as well as Information Security tools and the steps departments have taken to move online in response to the Pandemic.
Just like last year, we also have templates available to help you with the endpoint and server inventory questions:
How do I access this year's assessment?
The ISRM Assessment has been moved into the same OneTrust tool that the IT Compliance team uses for conducting vendor risk assessments (see Vendor Review FAQ). You can now access the ISRM Assessment in OneTrust through the Self Service Portal. Instead of selecting to launch "UVA Vendor Onboarding", you will be able to select "ISRM Assessment".
Navigating the Risk Assessment in OneTrust
Initiating an Information Security Risk Assessment is now really easy! Just follow the steps below.
1. Visit the UVA OneTrust Self Service portal
2. Type in your UVA email address and click “Next” to login through Netbadge
3. Click on the grid icon at the top left of your screen
4. Select "IT Risk Management"
5. Click "Launch"
6. Navigating the ISRM
When you launch the Assessment, the Assessment Name should reflect the group you represent (i.e., Classrooms, Desktop Support, Physics, etc.). If you do not anticipate being the only person to work on the Assessment, be sure to add additional respondents at this time.
Attachments can be added to every question by using the paperclip icon located below each question.
Comments can be added to every question by using the “speech cloud” icon located below each question. Use this to ask us about a specific question or to provide feedback.
NOTE: When completing some fields, you may need to click "Add Option" beneath the text field after you finish typing.
Adding Additional Resondents to the ISRM
OneTrust allows for additional respondents to be added to an assessment. This means that if there is someone else in your area who you would like to engage to supply assessment information (e.g., department chair, fellow IT staff, a direct report), you can add them to your assessment.
1. While in your assessment, look for the little information icon at the top left ("i" with a circle). Click it.
2. Look to the right of your screen at the Edit Details window. Go to the section titled "Respondents". Hover to the right of your name and click the pen and paper icon that appears.
3. Click the green plus sign. Type in the email address of the additional respondent you intend to add. Then, click the blue "Save" button at the bottom right.
NOTE: OneTrust does not immediately populate user information throughout the system. This means that OneTrust may throw error text when you go to edit respondents indicating that your are not a valid user. To fix this, type in your email over the respondent field where your name is located before clicking the Save button. If you run into any issues, reach out to [email protected] and we can fix it.