During the summer, the Information Security Office faced a challenge — the campus community began requiring an increasing number of risk assessments.
The increased demand for security risk assessments was due to the University’s transition to 100% working from home amid the pandemic as well as an increase in assessments related to COVID-19 projects.
The Information Security Office (ISO) conducts risk assessments for campus clients to identify possible threats against sensitive information. The ISO completes assessments for such things as application and solution purchases, research projects and grants.
In response to the increased demand for risk assessments, the ISO Risk Team, working with Manager Mel Radcliffe and Dennis Schmidt, Assistant Vice Chancellor and Chief Information Security Officer, developed the Risk Assessment Partner Program, also known as RAPP.
Boosts liaisons’ skills
ISO envisioned RAPP as a collaboration between the ISO Risk Team and various campus units. The goals of RAPP were two-fold: to develop security skills of the Information Security Liaisons and to expedite the risk assessment process, Schmidt said.
Campus Information Security Liaisons partners in RAPP assist the Information Security Office in gathering the required information from stakeholders and other parties to develop the risk assessment. In addition, the Information Security Liaisons (ISL) individual partners participate in developing the final risk assessment documents and participate in the peer review process with the Risk Team.
As of the fall, the ISO has completed numerous successful risk assessments that have been developed as part of RAPP, Radcliffe said.
Expedites reviews
“The RAPP has opened up an avenue to decrease the time in which it takes to complete risk assessments at UNC,” said Sam Garcia, IT Security Analyst with the Adams School of Dentistry. “Our projects tend to deal with products and vendors where sensitive information is in play. Additionally, these projects tend to move fast, so a timely risk assessment is essential to avoid any delays with implementation.”
Consider the start of the pandemic, Garcia said. “When UNC began remote work, the need for applications that would assist with business in a COVID-friendly response arose enterprise wide.” As a result, he noted, the Information Security Office had to put aside risk assessments it had already started in order to respond to assessments related to COVID-19.
The RAPP program, Garcia said, has enabled Adams School of Dentistry projects to move forward in a timely manner. In addition, it ensures that data of the School and University is protected and enables “information officers to make an informed decision on the security risk of sensitive information in play, especially during an unprecedented time in the IT industry.”
The Office of University Development has also participated in the RAPP program.
“With the ever-growing threat landscape, we need risk assessments now more than ever to mitigate weak security practices and avoid reputational damage for UNC and the potential compromise/misuse of sensitive data,” said Mark Ingram, Infrastructure & Technology Manager at University Development.
Improved assessment experience
“Joining the RAPP program has been enlightening and a very positive experience,” he said.
Through this collaborative partnership, Ingram was able to participate at a much deeper level with the ISO Risk Team to complete detailed forms such as the Risk Assessment Customer Engagement and the Risk Assessment Vendor Engagement.
“Helping to complete this needed documentation along with presenting the assessment for peer review by the Risk Team — and surviving, gave me great insight into the process,” Ingram said. “There is a ton of behind-the-scenes work that goes into a formal risk assessment, so the RAPP allows for quicker turnaround time, increases the knowledge of the ISL, and facilitates an overall improved risk assessment experience — especially for high-volume departments.”