Information Technology Risks in Higher Education: Strategy for Assessment, Planning and Management

Praveen Panchal, VP of IT & CIO, The City College of New York

One of the most important organizational issues facing the higher education institutions today is the risk of unprotected and inaccessible information. In general, the risk of unprotected information entails liability for failing to keep students, faculty and staff data confidential, and the risk of inaccessible information entails loss of business or productivity due to network infrastructure failure or catastrophe. Security breaches and failures of information systems can be causes of serious disasters for the institution, including reputation damage caused by identity theft and financial and other losses stemming from infrastructure collapse. In today’s world of terrorism, increased network security breaches and the ever-looming risk of natural disasters, we find that an all-inclusive IT risk management strategy is gaining prominence as a critical issue more than ever before.

Despite these risks, many higher education institutions are very passive in implementing the best practices for IT risk management. Unfortunately, many institutions have limited or no visibility of their IT risk exposure and are not utilizing available resources effectively to contain these risks. They are not proactive in developing institution wide systematic knowledge and processes to assess and manage IT risks. These institutions may only have a vague understanding of the serious implications that can result from unauthorized access to their data or the loss of information technology resources. It is essential for institutions of higher education to ensure that appropriate mechanisms are set in place to provide uninterrupted IT services, data privacy and timely data recovery to members of their respective communities.

The IT risk management is an important aspect of organizational success. Institutions should be able to categorize, quantify, and control information risks. A successful institute should consider IT risks as an integral part of the institutional risk management. Effective IT risk management requires a comprehensive approach involving an assessment of assets, threats, and vulnerabilities, as well as countermeasures and continuous repeated assessment. Forward thinking institutions have developed and implemented detailed strategies and guidelines for a comprehensive IT risk management.

As institutions are depending more and more on information systems, electronic processes, IT services, and the Internet, the likelihood of operational failures due to these components is also increasing. This leads to the concept of risk, which can be viewed as any event that would negatively impact an institution’s ability to meet its stated mission. By definition, an IT risk is a failure in any aspect of the IT environment causing exposure to loss for the institution (e.g. IT assets, processes, security, backup and recovery, and governance). These risks, which can be anything from network failure to unauthorized exposure of private information, are becoming significantly visible. Failure of network services causing a loss of productivity or failure to keep student, faculty and staff data private leading to legal liability are serious concerns for institutions. Other risks such as reputation damage caused by identity theft, revenue losses stemming from nonfunctioning ERP systems and computer hacking due to malicious activities causing distributed denial-of-service (DDOS) attacks are becoming increasingly prevalent in the academic environment.

To better understand the nature of these risks, their impacts, and protective measures, these risks can be classified into five broad categories: strategic, financial, operational, legal, and reputational. Strategic risk includes primarily long-term threats that may impact the institution’s ability to meet its goals and objectives (e.g. failure to take advantages of possibilities, changes in delivery of teaching and impact of technology, keeping up with changing technologies). Financial risk is any threat involving the potential loss of tangible assets, investments or revenue. Operational risk is often defined as the risk of error or fraud within manual or systems environments (e.g. information accuracy, information accessibility and confidentiality, data integrity and security, hardware reliability and obsolescence, software licensing, communication infrastructure reliability and capacity, system connectivity and compatibility, disaster recovery and business continuity, backup and retrieval, physical security, environmental controls, web pages control and content management, and equipment maintenance). Operational risk also denotes threats that can jeopardize the administrative process of an institution. Legal risk is related to compliance with laws and regulations as well as with local ordinance. It is not only associated with externally imposed laws and regulations but also with internal policies and procedures. Reputational risk involves external perception and its effects on the institution’s reputation and brand or both (this risk may result from an institution’s failure to effectively manage any or all of the other risk types).

The impact of these risks can be disastrous for the institution, and a single occurrence can cause extensive damage to the institution’s reputation. An institution’s reputation consists of the asset that generates private funding, attracts qualified students, and recruits and retains capable faculty. The questions arise—how do institutions proactively mitigate these risks, how do they ensure that their IT assets are not vulnerable, and how do they minimize the impact if these risks exist. The answer to these questions lies in treating information technology risks within the integrated framework of business risks and developing a comprehensive resolution considering all risks through involvement of all stakeholders.

Risk management encompasses three processes: risk assessment, risk mitigation, and continuous evaluation. The risk assessment process includes identifying and evaluating risks and risk impacts; the risk mitigation process refers to prioritizing, implementing, and maintaining the appropriate risk-reducing measures and; the continuous evaluation process includes ongoing evaluation and assessment of risk management processes. Risk management is a systematic and analytical framework for senior leadership to effectively deal with threats and undesirable events. It helps establish the possibility that a threat will adversely influence an institutional asset or resource. It also helps facilitate an action that reduces or eliminates the risk and mitigates the consequences of an attack or event. Institutions with a successful risk management program have strong support and involvement in the process from their senior leadership, employ the concept of a dedicated risk management team, and implement policies and procedures for better accountability. IT risk management is also an essential part of institutional success and every institution should consider IT risks as an integral part of the institutional risk management.

In summary, effective IT risk management requires a comprehensive approach. IT risk managers should categorize, quantify, and control IT risks involving assessment of assets, threats, vulnerabilities, safeguards and continuous evaluation. Institutions that are forward-thinking have developed and implemented detailed strategies and guidelines for a comprehensive IT risk management. However, institutions that are not prepared run into catastrophic consequences during attacks and undesirable events.

See Also: Top EdTech Companies