GAIN SECURITY

INFORMATION TECHNOLOGY

Education

Success Stories
Color Block
Clint Davies

Public University IT Security Risk Assessment


Client Description

A large, public R1 university wanted to strengthen security across its many departments, colleges, and campuses by identifying gaps in current security practices.

Challenge

The University implemented an information security risk assessment program to help strengthen security across its many departments, colleges, and campuses. They had established a set of information security standards and policies based on ISO 27002, yet recognized that adoption and awareness of information security practices was inconsistent. They wanted to address these inconsistencies while also identifying additional gaps in current security practices.

Approach

The University engaged BerryDunn to help design, manage, and execute 17 risk assessments over the course of two years. Each assessment entailed scoping activities, onsite work sessions, risk treatment planning, and the issuance of a document that ranked and described the risks identified and provided an actionable treatment plan. Imperative to the success of each assessment was gaining buy-in from departmental leadership and establishing trust between our team and departmental staff.

Outcomes

Each department or college received a report describing identified risks and outlining an actionable risk treatment plan. As a result, more than a dozen units are actively addressing risks and implementing stronger security controls across campus. Additionally, the University’s central information security team was able to identify and address gaps in University-level practices in areas such as information security training, awareness, and vendor due diligence.

Long-term value 

  1. Increased awareness for IT security standards and practices across many departments, colleges, and units
  2. Established a structured and sustainable approach to ongoing IT security risk management
  3. Helped units prioritize security needs based on impact and likelihood of associated risks