
Information Technology Risks in Higher Education: Strategy for Assessment, Planning and Management


Praveen Panchal, VP of IT & CIO, The City College of New York
One of the most important organizational issues facing the higher education institutions today is the risk of unprotected and inaccessible information. In general, the risk of unprotected information entails liability for failing to keep students, faculty and staff data confidential, and the risk of inaccessible information entails loss of business or productivity due to network infrastructure failure or catastrophe. Security breaches and failures of information systems can be causes of serious disasters for the institution, including reputation damage caused by identity theft and financial and other losses stemming from infrastructure collapse. In today’s world of terrorism, increased network security breaches and the ever-looming risk of natural disasters, we find that an all-inclusive IT risk management strategy is gaining prominence as a critical issue more than ever before.
Despite these risks, many higher education institutions are very passive in implementing the best practices for IT risk management. Unfortunately, many institutions have limited or no visibility of their IT risk exposure and are not utilizing available resources effectively to contain these risks. They are not proactive in developing institution wide systematic knowledge and processes to assess and manage IT risks. These institutions may only have a vague understanding of the serious implications that can result from unauthorized access to their data or the loss of information technology resources. It is essential for institutions of higher education to ensure that appropriate mechanisms are set in place to provide uninterrupted IT services, data privacy and timely data recovery to members of their respective communities.
The IT risk management is an important aspect of organizational success. Institutions should be able to categorize, quantify, and control information risks. A successful institute should consider IT risks as an integral part of the institutional risk management. Effective IT risk management requires a comprehensive approach involving an assessment of assets, threats, and vulnerabilities, as well as countermeasures and continuous repeated assessment. Forward thinking institutions have developed and implemented detailed strategies and guidelines for a comprehensive IT risk management.
As institutions are depending more and more on information systems, electronic processes, IT services, and the Internet, the likelihood of operational failures due to these components is also increasing. This leads to the concept of risk, which can be viewed as any event that would negatively impact an institution’s ability to meet its stated mission. By definition, an IT risk is a failure in any aspect of the IT environment causing exposure to loss for the institution (e.g. IT assets, processes, security, backup and recovery, and governance). These risks, which can be anything from network failure to unauthorized exposure of private information, are becoming significantly visible. Failure of network services causing a loss of productivity or failure to keep student, faculty and staff data private leading to legal liability are serious concerns for institutions. Other risks such as reputation damage caused by identity theft, revenue losses stemming from nonfunctioning ERP systems and computer hacking due to malicious activities causing distributed denial-of-service (DDOS) attacks are becoming increasingly prevalent in the academic environment.
To better understand the nature of these risks, their impacts, and protective measures, these risks can be classified into five broad categories: strategic, financial, operational, legal, and reputational. Strategic risk includes primarily long-term threats that may impact the institution’s ability to meet its goals and objectives (e.g. failure to take advantages of possibilities, changes in delivery of teaching and impact of technology, keeping up with changing technologies). Financial risk is any threat involving the potential loss of tangible assets, investments or revenue. Operational risk is often defined as the risk of error or fraud within manual or systems environments (e.g. information accuracy, information accessibility and confidentiality, data integrity and security, hardware reliability and obsolescence, software licensing, communication infrastructure reliability and capacity, system connectivity and compatibility, disaster recovery and business continuity, backup and retrieval, physical security, environmental controls, web pages control and content management, and equipment maintenance). Operational risk also denotes threats that can jeopardize the administrative process of an institution. Legal risk is related to compliance with laws and regulations as well as with local ordinance. It is not only associated with externally imposed laws and regulations but also with internal policies and procedures. Reputational risk involves external perception and its effects on the institution’s reputation and brand or both (this risk may result from an institution’s failure to effectively manage any or all of the other risk types).
The impact of these risks can be disastrous for the institution, and a single occurrence can cause extensive damage to the institution’s reputation. An institution’s reputation consists of the asset that generates private funding, attracts qualified students, and recruits and retains capable faculty. The questions arise—how do institutions proactively mitigate these risks, how do they ensure that their IT assets are not vulnerable, and how do they minimize the impact if these risks exist. The answer to these questions lies in treating information technology risks within the integrated framework of business risks and developing a comprehensive resolution considering all risks through involvement of all stakeholders.
Risk management encompasses three processes: risk assessment, risk mitigation, and continuous evaluation. The risk assessment process includes identifying and evaluating risks and risk impacts; the risk mitigation process refers to prioritizing, implementing, and maintaining the appropriate risk-reducing measures and; the continuous evaluation process includes ongoing evaluation and assessment of risk management processes. Risk management is a systematic and analytical framework for senior leadership to effectively deal with threats and undesirable events. It helps establish the possibility that a threat will adversely influence an institutional asset or resource. It also helps facilitate an action that reduces or eliminates the risk and mitigates the consequences of an attack or event. Institutions with a successful risk management program have strong support and involvement in the process from their senior leadership, employ the concept of a dedicated risk management team, and implement policies and procedures for better accountability. IT risk management is also an essential part of institutional success and every institution should consider IT risks as an integral part of the institutional risk management.
In summary, effective IT risk management requires a comprehensive approach. IT risk managers should categorize, quantify, and control IT risks involving assessment of assets, threats, vulnerabilities, safeguards and continuous evaluation. Institutions that are forward-thinking have developed and implemented detailed strategies and guidelines for a comprehensive IT risk management. However, institutions that are not prepared run into catastrophic consequences during attacks and undesirable events.
See Also: Top EdTech Companies
ON THE DECK

Featured Vendors
K16 Solutions: Learning Management Systems (LMS) Migration Solutions, Created by Educators for Educators
Ask School Data (ASD): AI-Powered Virtual Data Coaching Solution that Provides Real-Time Student Data to Teachers
Liaison International: Streamlining the Enrollment Process with Institution-Wide Data and Responsive, Cross-Media Marketing
Education Networks of America (ENA): Turnkey Infrastructure Solutions Designed for K-12 Schools and Libraries
Verificient Technologies: Fostering Credibility for Online Education with Proctorless Remote Monitor
Huron Consulting Group: Helping Colleges and Universities better align Operations to achieve strateg
Cumulus Global: Helps Business, Schools, And Local Governments Achieve Their Goals By Leveraging The
LearningMate Solutions Inc.: Global Leader In Providing Content And Technology Services For The Educ
Globaloria: Invent. Build. Share: Advancing Computing Innovation And Digital Citizenship Skills Star
Cyanna Educational Services: Consultative Service For Top-Quality Schooling And Higher Education Sys
EDITOR'S PICK
Essential Technology Elements Necessary To Enable...
By Leni Kaufman, VP & CIO, Newport News Shipbuilding
Comparative Data Among Physician Peers
By George Evans, CIO, Singing River Health System
Monitoring Technologies Without Human Intervention
By John Kamin, EVP and CIO, Old National Bancorp
Unlocking the Value of Connected Cars
By Elliot Garbus, VP-IoT Solutions Group & GM-Automotive...
Digital Innovation Giving Rise to New Capabilities
By Gregory Morrison, SVP & CIO, Cox Enterprises
Staying Connected to Organizational Priorities is Vital...
By Alberto Ruocco, CIO, American Electric Power
Comprehensible Distribution of Training and Information...
By Sam Lamonica, CIO & VP Information Systems, Rosendin...
The Current Focus is On Comprehensive Solutions
By Sergey Cherkasov, CIO, PhosAgro
Big Data Analytics and Its Impact on the Supply Chain
By Pascal Becotte, MD-Global Supply Chain Practice for the...
Technology's Impact on Field Services
By Stephen Caulfield, Executive Director, Global Field...
Carmax, the Automobile Business with IT at the Core
By Shamim Mohammad, SVP & CIO, CarMax
The CIO's role in rethinking the scope of EPM for...
By Ronald Seymore, Managing Director, Enterprise Performance...
Driving Insurance Agent Productivity with Mobile and Big...
By Brad Bodell, SVP and CIO, CNO Financial Group, Inc.
Transformative Impact On The IT Landscape
By Jim Whitehurst, CEO, Red Hat
Get Ready for an IT Renaissance: Brought to You by Big...
By Clark Golestani, EVP and CIO, Merck
Four Initiatives Driving ECM Innovation
By Scott Craig, Vice President of Product Marketing, Lexmark...
Technology to Leverage and Enable
By Dave Kipe, SVP, Global Operations, Scholastic Inc.
By Meerah Rajavel, CIO, Forcepoint
AI is the New UI-AI + UX + DesignOps
By Amit Bahree, Executive, Global Technology and Innovation,...
Evolving Role of the CIO - Enabling Business Execution...
By Greg Tacchetti, CIO, State Auto Insurance
Read Also
Disrupt Your Legacy Application Portfolio to Improve Security And...
Why a Credentialing Strategy Must be Part of Your Digital Strategy
The Convergence of IT with the Internet of Things Innovation
It’s On People: The Undeniable Cultural Impact in a Digital...
A Promising Road Ahead for Insurtech
Bolloré Logistics Australia becomes a global leader in the use of...
