Information Technology Security Risk Management (ITS-RM) Program
The University’s Information Technology Security Risk Management (ITS-RM) Program is intended to provide departments with the information and tools they need to manage properly the security risks associated with their information technology assets.
Some examples of real events that have happened at the University include:
Fire. The University’s Treasurer’s Office is left with burned files and melted computers.
Flood. Health System Computing Services responds to a report of a down server and finds water rushing from the ceiling.
Loss of access. University Hall is closed for several months on 15-minutes’ notice after failing a routine structural safety inspection.
Cyber-attack. Machines containing sensitive data are hijacked via the network.
How prepared is your department to mitigate these risks and respond appropriately, if any one of these events occur in your area?
Given the serious security risks to information technology (IT) assets, managing those risks effectively is an essential task for the University and its departments. The process will benefit both the individual departments and the University as a whole. It is important that management understand what risks exist in their IT environment, and how those risks can be reduced or eliminated.
The University has business processes, research and instructional efforts, and legally protected data that depend on IT assets, which UVa cannot afford to lose or have exposed. Unfortunately, these IT assets are subject to an increasing number of threats, attacks and vulnerabilities, against which more protection is continually required. The ITS-RM program is an essential component in this overall effort.
University policy requires the management of each University department to complete the process outlined in the University's ITS-RM Program at least once every three years, when there are significant changes to departmental IT assets, or when there are significant changes to the risk environment. (If you have a project in the meantime, you can use the Projects Review Questionnaire). The department head will sign off on the deliverables from this process and file these deliverables in the University's central repository for these documents. The ITS-RM program applies to agencies 207 (Academic Division), 209 (Medical Center) and 246 (College at Wise).
All departments should have completed their first iteration of the process during 2007. The second iteration was due March 1, 2011.
University of Virginia Information Technology
Security Risk Management Program v. 3.0 packet (August 3, 2010)
Includes the assessment and mission continuity tools, including a disaster recovery plan template, necessary for completing an ITS-RM report.
Templates required to complete your department’s ITS-RM report (these are spread throughout the full packet intermixed with background and instructions, but are collected in a compact reporting format here): Microsoft Word format | PDF format
PowerPoint presentation given at a 2004 LSP conference explaining the initial version of the program. Useful background and explanation of expectations for anyone working on this ITS-RM program.
PowerPoint presentation given at a 2005 Mid-Atlantic EDUCAUSE meeting on the process involved in creating and implementing a IT security risk management program.
For further information, please contact us at
Page Updated: 2013-05-01
- Project Review Questionnaire
- Electronic Data Removal Procedures
- Institutional Data Protection Standards
- Highly Sensitive Data Storage Policy
- UVa SSN Initiative
- ISO 27002 Code of Practice for Information Security Management [.pdf]
- Reporting a Security Problem
- SANS Top Cyber Security Risks
- Choosing Strong Passwords
- Requirements for Securing Electronic Devices