Inside Iowa State

Inside Archives

Submit news

Send news for Inside to, or call (515) 294-7065. See publication dates, deadlines.

About Inside

Inside Iowa State, a newspaper for faculty and staff, is published by the Office of University Relations.

Feb. 23, 2007

Policy changes help measure IT risks

by Erin Rosacker

When a state control audit in 2005 recommended development of a university-wide information technology risk assessment process, work began to develop a set of tools to help units take a look at their IT procedures.

With these tools in hand, the IT policy committee has revamped the IT security policy. The revised draft, available online in the policy library, includes a process that campus units can use to measure their risk and response -- for everything from hackers to hurricanes.

A process to follow -- the questions to ask, the forms to fill out, the documentation to file and a schedule identifying areas that require periodic risk assessments -- never had been formalized, said Maury Hope, associate chief information officer and chair of the IT policy committee.

Hope said the audit recommendation dealt with business continuity procedures, for example how an office would continue its functions during a bird flu pandemic. But the policy revision went a step further to include ways to look at data security on networks and servers.

"This is the foundation of developing a business continuity plan, which many departments and units should be doing," Hope said. "It's also a basis for disaster recovery planning."

Is this for you?

Who should take a look at the policy? Hope points first to departments and units that deal with sensitive or financial information, such as student records, credit cards and health records. But, he said, the newly developed tools are useful campus-wide.

"If they don't know where to start, IT Services will help them," Hope said. "We will help them understand the process to get the risk assessment started."

One part of the policy that did not change was a provision calling for all units to provide employees the opportunity to learn about their roles in a secure IT environment. To complement this requirement, suggestions for security education and awareness were included in the policy's list of resources.

"Our goal was to satisfy the recommendation of the state control audit," Hope said. "This includes providing better tools, so that we can be proactive on risk assessments rather than reactive to incidents. That's our goal."

The campus community can comment on proposed changes to the IT security policy through March 9. The draft is in the online policy library at Once the draft is finalized and approved by administrators, it will be posted in the policy library.

University policies are statements of campus-wide expectations and standards.


The campus community can comment on proposed changes to the IT Security Policy by e-mail, The draft is online at the Policy Library.