IT Risk Register Introduction

 
Risk management is perceived as being hard to do, and institutions struggle to know where to begin. In fact, a 2014 ECAR 
study found that 81% of colleges and universities do not consider IT risk in their institutional strategic plans. 1 Nonetheless, 
risk management is an important process that can help institutions identify, analyze, and prioritize the risks that may impact 
their ability to meet strategic goals. 
 
Traditional IT risk-management processes start with risk identification, in which institutions inventory their IT systems and 
data and create an individualized list of the risks faced by each system. This can be a significant undertaking, often made 
more difficult by institutional culture and resource constraints. Because the risk inventory itself involves so much effort, the 
next step in the process—addressing those risks at a strategic level—often seems so daunting that many institutions don’t do
it. Nevertheless, strategically addressing IT risk is a vital part of risk management. Rather than simply identifying risks related 
to physical inventories of assets in isolation, a strategic approach focuses on IT’s impact (or lack thereof) on institutional 
goals. 

The EDUCAUSE IT GRC Advisory Group created this IT Risk Register for institutional IT departments to get their strategic IT 
risk-management programs off the ground. The IT Risk Register is a sortable checklist that identifies common strategic IT risks
and catalogues those risks according to common risk types and IT domains. It also contains a resource to help institutions 
conduct a qualitative risk assessment of the items listed in the register. Institutions can use this tool to jumpstart or improve 
their own IT risk-management programs. For instance, if an institution is just starting a risk-management program, the 
register can be used to pre-populate lists of risks for the institution to consider in its analysis. For an institution that already 
has a risk-management program, the register can be consulted to make sure that the institution has not inadvertently 
omitted any key risks.
 
This IT Risk Register supplements an institution's own thoughtful IT risk-management process. Institutions should note that 
the list of risks presented in this register is not exhaustive. Instead, it is a starting point for considering how to look at 
strategic risks within an IT organization. Not all risks will apply to all institutions. In addition, this risk register is not a risk-
assessment tool or template. It does not prioritize risks against one another, nor does it spell out a particular method for 
evaluating the costs and benefits of addressing the identified risks. It is hoped, however, that the examples provided in this 
list will lead higher education institutions toward a more strategic and holistic appreciation of IT risk and an ability to 
integrate IT risk into the broader institutional risk profile. 
 
---------------------------------

See Bichsel, Jacqueline, and Patrick Feehan. Getting Your Ducks in a Row: IT Governance, Risk, and Compliance Programs in
1 

Higher Education. ECAR, June 2014. Available from http://www.educause.edu/library/resources/it-governance-risk-and-
compliance-higher-education

© EDUCAUSE 2015
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License (CC BY-NC-
SA 4.0).

Brought to You by the EDUCAUSE IT Governance, Risk, and Compliance Program

This risk register and the member advisory council that created it are part of the EDUCAUSE IT Governance, Risk, and 
Compliance program. The program provides resources that help IT professionals define and implement IT GRC activities on 
their campuses. Learn more and view additional resources at www.educause.edu/it-grc

 
 
SA 4.0).

Brought to You by the EDUCAUSE IT Governance, Risk, and Compliance Program

This risk register and the member advisory council that created it are part of the EDUCAUSE IT Governance, Risk, and 
Compliance program. The program provides resources that help IT professionals define and implement IT GRC activities on 
their campuses. Learn more and view additional resources at www.educause.edu/it-grc

 
 
o begin. In fact, a 2014 ECAR 
strategic plans. 1 Nonetheless, 
ritize the risks that may impact 

ventory their IT systems and 
nt undertaking, often made 
elf involves so much effort, the 
 that many institutions don’t do 
n simply identifying risks related 
ck thereof) on institutional 

ments to get their strategic IT 
ntifies common strategic IT risks 
resource to help institutions 
is tool to jumpstart or improve 
anagement program, the 
For an institution that already 
on has not inadvertently 

. Institutions should note that 
nsidering how to look at 
his risk register is not a risk-
out a particular method for 
the examples provided in this 
 IT risk and an ability to 

k, and Compliance Programs in

ces/it-governance-risk-and-

nternational License (CC BY-NC-

T Governance, Risk, and 
mplement IT GRC activities on 
T Governance, Risk, and 
mplement IT GRC activities on 
 How to Use
 
Items in this IT Risk Register can be sorted by risk type, which is based on the consequences that an institution can expect to f
following risk types are used in this register:
Compliance: Risks that relate to a potential violation of a law or regulation or an institutional policy or requirement
Financial: Risks that impact the institution’s financial resources or financial operations 
System/Service/IT Life Cycle: Risks that impact the provisioning of IT systems and services
Operational: Risks that impact the day-to-day operation of IT systems and services
Reputational: Risks that negatively affect institutional image, standing, or character
Strategic: Risks that may have a lasting impact on an institution’s ability to pursue its overarching mission or strategic goals 
 
Risks in the IT Risk Register can also be sorted by IT domain. For the most part, the IT domain categories used in this register c
used in the EDUCAUSE Core Data Service.2 This mapping enables institutions that complete the CDS survey each year to cross
entered in CDS for their own risk-management activities. The following IT domain categories are used in this register:
Administration and Management of IT (CDS Module 1)
IT Support Services (CDS Module 2)
Educational Technology Services (CDS Module 3)
Research Computing Services (CDS Module 4)
Data Centers (CDS Module 5)
Communications Infrastructure Services (CDS Module 6)
Enterprise Infrastructure and Services (Used throughout CDS)
Information Security (CDS Module 7)
Identity Management (CDS Module 7)
Information Systems and Applications (CDS Module 8)
Business Continuity (IT domain area added by the IT GRC Advisory Panel)
 
The risks are listed in the register in the following ways:
Worksheet tab called “Risk List Unsorted.” This lists of all of the risks in the IT Risk Register, with notes about the causes and im
notes and source information for a particular risk have been included on this tab for further reference.
Worksheet tab called “Sort by Risk Type.” This lists of all of the risks in the IT Risk Register, sorted by type. An institution that w
example, could filter the list according to the “compliance” column.  
Worksheet tab called “Sort by IT Domain.” This lists of all of the risks in the IT Risk Register, sorted by IT domain (using the defi
Service). An institution that wants to view only “identity management” risks, for example, could filter the list according to the
A notes column is included on the “Sort by Risk Type” and “Sort by IT Domain” worksheets for institutions to add their own no
Institutions may add their own columns and rows on each sheet to customize the register as necessary.

The IT Risk Register also contains a qualitative risk assessment template ( the worksheet called "Risk Assessment") to assess t
register to be realized.  Risks can be assessed according to three measures:

Likelihood:  How likely it is for the risk to be realized?
1 = Low. Events that are unlikely to happen within a year.
2 = Medium. Events that are somewhat likely to happen within a year.
3 = High. Events that are likely to happen within a year.

Impact: What is the impact to the institution if the risk is realized?
1 = Low. Little or no effect on the institution; low costs/reputational damage.
2 = Medium. Moderate effect on the institution; moderate costs/reputational damage.
3 = High. Significant effect on the institution; severe costs/reputational damage.

Velocity:  What is the speed with which the institution will feel the impact if the risk is realized (also considered an impact tim

1 = Low. Institution will feel the impact of the realized risk effects in 12+ months.
2 = Medium. Institution will feel the impact of the realized risk effects in 6-12 months.
3 = High. Institution will feel the impact of the realized risk effects in 0-6 months. 

The product of these three measures can be used to help institutions prioritize their risk response activities. Higher scores cor
important for an institution to address.  The risk assessment template also uses color (red = high; yellow = medium; green = lo
---------------------------------
1
 See EDUCAUSE Core Data Service IT domain definitions, available at: http://www.educause.edu/research-and-publications/r
data-service/it-domain-definitions 
2
 EDUCAUSE Core Data Service, available at: http://www.educause.edu/research-and-publications/research/core-data-service
3 = High. Institution will feel the impact of the realized risk effects in 0-6 months. 

The product of these three measures can be used to help institutions prioritize their risk response activities. Higher scores cor
important for an institution to address.  The risk assessment template also uses color (red = high; yellow = medium; green = lo
---------------------------------
1
 See EDUCAUSE Core Data Service IT domain definitions, available at: http://www.educause.edu/research-and-publications/r
data-service/it-domain-definitions 
2
 EDUCAUSE Core Data Service, available at: http://www.educause.edu/research-and-publications/research/core-data-service
hat an institution can expect to face if the risk were realized. The 

policy or requirement

hing mission or strategic goals 

 categories used in this register correspond directly to the IT domains 1 
he CDS survey each year to cross-reference risks on this list with data 
are used in this register:

th notes about the causes and impacts of each risk. In some instances, 
eference.
ted by type. An institution that wants to view only “compliance” risks, for 

rted by IT domain (using the definitions provided by the Core Data 
uld filter the list according to the “identity management” column.  
r institutions to add their own notes related to a listed risk.
necessary.

d "Risk Assessment") to assess the potential for the risks listed in the 

d (also considered an impact time horizon)?

onse activities. Higher scores correlate to a risk that may be more 
igh; yellow = medium; green = low) to indicate higher scores.

edu/research-and-publications/research/core-data-service/about-core-

tions/research/core-data-service 
onse activities. Higher scores correlate to a risk that may be more 
igh; yellow = medium; green = low) to indicate higher scores.

edu/research-and-publications/research/core-data-service/about-core-

tions/research/core-data-service 
ID No. Risk Statement Risk Causes Risk Impacts
1 IT governance and priorities not aligned with institutional IT failure to understand institutional strategy; lack of Poor governance of enterprise IT; inability to use IT to
priorities institutional support for IT operations strategically support institutional mission (admissions,
research, institutional operations, outreach to the community);
inability to enhance, improve, or increase the provision of
enterprise IT operations; inefficiencies and duplication of
effort; poor perception/reputation of enterprise IT

2 Failure to designate leadership (e.g., an individual or
individuals) for institutional oversight and strategic direction
for IT operations
Lack of institutional support for IT operations
Poor governance of enterprise IT; inability to use IT to
strategically support institutional mission (admissions,
research, institutional operations, outreach to the community);
inability to enhance, improve, or increase the provision of
enterprise IT operations; creation of fiefdoms leading to
inefficiencies and duplication of effort

3 Failure to designate leadership (e.g., an individual or
individuals) for institutional oversight and strategic direction
for information security activities
Lack of institutional support for IT and information security
operations
Poor governance of enterprise information security efforts;
inability to enhance, improve, or increase the effectiveness of
institutional information security; data breaches; failure to
meet regulatory compliance requirements; regulatory fines
and expenses

4 No succession plan for key institutional IT leaders (e.g., CIO, Lack of institutional support for IT operations; human nature Leadership void in the event of separation of a key IT leader
CISO, CTO, CPO, etc.) not to plan for succession activities; lack of qualified internal from the institution
staff for succession planning

5 Relevant stakeholders not included in important IT investment Lack of senior management support; stakeholders fail to Uses of university IT systems that contravene good
decisions (e.g., priorities, technologies, new applications) understand IT investment decisions (or provision of IT investment decision making; poor governance of enterprise
services in general); inability to identify stakeholders IT; inability to use IT to strategically support institutional
mission (admissions, research, institutional operations,
outreach to the community); inability to enhance, improve, or
increase the provision of enterprise IT operations;
inefficiencies and duplication of effort; increased cost for
providing IT services; poor perception/reputation of enterprise
IT
6 IT assets (e.g., hardware, devices, data, and software) and Lack of senior management support; complexity of business Multiple redundant resources in place (inefficient and costly
systems not prioritized based on their classification, criticality, processes and automated systems; lack of funding and tools for the institution); lack of institutional knowledge about where
and institutional value for prioritization efforts; failure to update prioritization when IT resources, systems, and data are located; inability to
conditions change; stakeholder failure to agree on resource implement business continuity plans to support institutional
prioritization operations; financial losses due to replacement of nonpriority
systems; inability to execute strategic projects
 7 IT assets (e.g., hardware, devices, data, and software),
systems, and services outdated, do not support institutional
needs (admissions, academic, business operations, research,
etc.)
8 IT management aims and directions not communicated to
critical user areas
9 Lack of shared understanding by IT and business units that
affects IT service delivery and projects
10 IT projects not managed in terms of budget, scheduling,
scope, priority, and delivery
11 No process for identifying and allocating costs attributable to
IT services
12 No process for measuring and managing IT performance
Complex and inflexible institutional enterprise IT architecture
(not scalable for current needs); failure to adopt new IT
infrastructure and/or services in a timely manner to support
institutional needs
Lack of senior management support; failure to understand IT
management priorities; failure to prioritize communications to
critical user areas; lack of multiple communication channels
(e.g., e-mail, print media, other electronic media) to convey
information to user areas; failure of users to pay attention
Lack of senior management support; failure of IT staff to
understand business processes and how IT services can
benefit those process; failure of business staff to understand
IT processes; inability to identify and document business
processes; mutual disrespect
Lack of senior management support; complexity of IT
systems; complexity of cross-institutional IT projects; failure to
assign a project manager or implement project management
methodologies when engaging in IT projects; failure to inform
stakeholders about project changes
Lack of senior management support; complexity of IT
systems; complexity of institutional cost-allocation process;
inability to calculate TCO of providing IT services; failure to
account for indirect costs such as software license and
upgrade fees
Lack of senior management support; complexity of IT
infrastructure; lack of funding and tools for performance
management or metrics; insufficient staff to attend to
performance management; failure to inform institutional
audience about performance management
Poor governance of enterprise IT; inability to use IT to
strategically support institutional mission (admissions,
research, institutional operations, outreach to the community);
inability to provide needed business, academic, research
services; inability to enhance, improve, or increase the
provision of enterprise IT operations; increased cost for
providing IT services; failure to support user IT needs; poor
perception/reputation of enterprise IT
Uses of university IT systems that contravene management
aims; poor governance of enterprise IT; inability to use IT to
strategically support institutional mission (admissions,
research, institutional operations, outreach to the community);
inability to enhance, improve, or increase the provision of
enterprise IT operations; inefficiencies and duplication of
effort; poor perception/reputation of enterprise IT
Inability to use IT to strategically support institutional mission
(admissions, research, institutional operations, outreach to
the community); inability to enhance, improve, or increase the
provision of enterprise IT operations to support business,
academic, or research processes; increased cost for
providing IT services; failure of business process
reengineering; distrust between organizational units
Poor governance of enterprise IT; inability to use IT to
strategically support institutional mission (admissions,
research, institutional operations, outreach to the community);
inability to enhance, improve, or increase the provision of
enterprise IT operations; increased cost for providing IT
services; failure of IT projects; poor perception/reputation of
enterprise IT
Poor governance of enterprise IT; inability to use IT to
strategically support institutional mission (admissions,
research, institutional operations, outreach to the community);
inability to enhance, improve, or increase the provision of
enterprise IT operations; increased cost for providing IT
services
Poor governance of enterprise IT; inability to use IT to
strategically support institutional mission (admissions,
research, institutional operations, outreach to the community);
inability to enhance, improve, or increase the provision of
enterprise IT operations; increased cost for providing IT
services
13 No process for managing IT problems to ensure they are
adequately resolved or for investigating causes to prevent
recurrence
14 Incorrect information on public-facing institutional resources
(e.g., website, social media streams)
15 Critical institutional business and academic data (e.g.,
admissions, business operations, research, etc.) not available destroyed; equipment lost/misplaced/stolen; lack of adequate
when needed
16 Loss of access—for an unacceptable period of time—to IT
systems and services hosted by another organization
17 IT communications and networks not protected from complete Internet or campus network failure; hardware failure; software
or intermittent failure
Lack of senior management support; complexity of IT
infrastructure; lack of funding and tools for service
management; insufficient staff to attend to service
management; failure to inform institutional audience about
support processes; insufficiently skilled staff to investigate and
resolve problems
Information on public websites out of date; internal posting
mistakes made by staff; intentional or unintentional vandalism resource costs to repair website; institutional reputation loss;
Hardware failure; software failure; data deleted; facility
backups; lack of source documents or input files; data on
backups corrupted; backups unavailable (e.g., lost, stolen,
missing); failure to make appropriate arrangements with
vendors to provide redundant or support services; lack of
understanding recovery point objective (RPO—how much
data can be lost and recreated); failure to conduct, maintain,
and periodically test backups
Internet or campus network failure; hardware failure; software
failure; data deleted; facility destroyed; equipment
lost/misplaced/stolen (can be on the part of vendor or on
institutional systems that interact with vendor systems); failure
of authentication systems (vendor or institution); failure to
make appropriate arrangements with vendors to provide
redundant or support services; failure to develop and update
business continuity strategies; failure to test business
continuity plans; establishing unrealistic recovery time
objectives (RTOs); lack of understanding of specific business
objectives and critical processes
failure; facilities destroyed; equipment lost/misplaced/stolen;
intentional or unintentional vandalism; lack of redundant
systems or IT resources; lack of funding to support
redundancy; failure to develop and update business continuity
strategies; failure to test business continuity plans
Unable to address user problems in IT systems in a reliable
manner; inefficient processing of support tasks (failure to gain
efficiencies by tracking similar issues); inability to identify
recurring issues; inability to prioritize support requisitions;
failure to support business and academic processes; poor
perception/reputation of IT
Institutional website unavailable for a period of time; staff and
poor perception/reputation of IT
Failure of business processes (e.g., payroll, tax, HR
functions); inability to execute on institutional mission; inability
to participate in research activities; costs of outsourcing
functions for a period of time; costs to recover data; regulatory
implications for failure to meet legal or contractual
requirements; institutional reputation loss; poor
perception/reputation of IT
Failure of business, academic, or research processes;
inability to execute on institutional mission; costs of
outsourcing functions for a period of time; costs to recover
data; regulatory implications for failure to meet legal or
contractual requirements; institutional reputation loss; poor
perception/reputation of IT
Loss of communications within and beyond campus network;
failure of IT services; failure of emergency notification
services; institutional reputation loss; poor
perception/reputation of IT
18 Areas housing critical IT assets (e.g., hardware, devices, data, Smoke, biological or chemical agents, asbestos, other IT personnel unable to access an area; emergency
and software) or services physically inaccessible, inoperable, hazards; lock failures; intentional or unintentional vandalism; responders unable to access an area; unauthorized personnel
or unsuitable for human access natural disaster damage; access to facility not controlled possibly able to access the area; IT systems disabled or
tampered with; failure of IT systems; theft of critical IT
systems; theft of institutional data; unable to bring IT or other
critical systems back online; destruction of backups of
software, configurations, data, or logs

19 Failure to make adequate plans for continuation of
institutional business processes (e.g., admissions, academic,
operational activities, and research) in the event of an
extended IT outage
Hardware failure; software failure; data deleted; facility Unable to recover systems and data to support business,
destroyed; equipment lost/misplaced/stolen; lack of senior academic, and research processes and activities in a timely
management support; complexity of business processes and manner; staff unable to understand roles/responsibilities; staff
automated systems; lack of funding and tools to support and resource expense to return to operations; failure to
continuity planning efforts; failure to update business support institutional mission; institutional reputation loss; poor
continuity strategies; failure to test business continuity plans; perception/reputation of IT
failure to ensure staff understand roles and responsibilities;
failure to incorporate lessons learned into strategies; failure to
address all phases of business continuity; establishing
unrealistic recovery time objectives (RTOs); lack of
understanding of specific business objectives and critical
processes; lack of prioritization of critical business and IT
processes; failure to make appropriate arrangements with
vendors to provide redundant or support services

20 No coordinated vetting and review process for third-party or
cloud-computing services used to store, process, or transmit
institutional data
Lack of senior management support; lack of communication of Multiple redundant services in place (inefficient and costly for
central vetting process to staff/employees; failure to the institution); institution unaware who its business partners
understand the need to protect institutional data are; institution unaware if institutional data are held by third
parties; institution unable to ensure that third parties are
following compliance requirements

21 Failure to create and maintain sufficient and current policies
and standards to protect the confidentiality, integrity, and
availability of institutional data and IT resources (e.g.,
hardware, devices, data, and software)
Lack of senior management support; failure to understand Improper use of university IT systems and institutional data;
information security concepts; lack of funding to support policy failure of users to protect critical institutional data when using
development activities; lack of funding for training; lack of user IT resources (leading to data breach); institution subject to
training regulatory violations and fines; institutional reputation loss;
poor perception/reputation of IT

22 Data breach or leak of sensitive information (e.g., academic,
business, or research data)
Lack of senior management support; complex regulatory
environments impacting higher education IT systems and data
(e.g., FERPA, HIPAA, GLBA, PCI, accessibility, export
controls, etc.); complexity of IT systems, infrastructure, and
services; lack of funding for data handling training; lack of
user training; intentional user malfeasance; unintentional user
error; hacking or infiltration by third parties
Institution subject to regulatory violations and fines; costs of
breach notification; costs of redress for individuals; loss of
alumni donations; loss of research data; costs to mitigate
underlying breach event; institutional reputation loss; poor
perception/reputation of IT
23 Inadequate cyber security incident or event response Lack of senior management support; complexity of business
processes and automated systems; lack of funding and tools
to support security incident response; failure to update
incident response strategies; failure to test incident response
plans; lack of staff with incident response expertise
Unable to recover systems and data to support business,
academic, and research processes and activities in a timely
manner; staff and resource expense to return to operations
following a security incident; unable to assist in legal
investigations related to an incident; institutional reputation
loss; poor perception/reputation of IT

24 Failure to control logical access and incorporate principles of Failure to use authentication systems; failure of authentication
least functionality to IT resources (e.g., hardware, devices, systems; authentication systems easily disabled; giving user
data, and software) and systems access to more systems and assets than is needed to
complete staff tasks; failure to remove access when user
separates from the institution or changes job duties; lack of
staff with identity management expertise
Unauthorized access to IT systems; IT systems disabled or
tampered with; failure of IT systems; theft of critical IT
systems; theft of institutional data; users mistakenly given
more system access than is needed to complete job duties;
inability to maintain the confidentiality of data in institutional
systems

25 Failure to control physical access to data centers/facilities and Failure to use physical locks; failure of physical locks; physical Unauthorized access to facilities or IT systems; IT systems
areas housing critical IT resources (e.g., hardware, devices, locks easily disabled; failure to use authentication systems; disabled or tampered with; failure of IT systems; theft of
data, and software) and systems failure of authentication systems; authentication systems critical IT systems; theft of institutional data
easily disabled

26 Failure to follow organized life-cycle management practices
(development, acquisition, use, transfer, repair, replacement,
destruction) for institutional IT resources and systems
Lack of senior management support; complexity of IT
processes and systems; lack of funding and tools to support
life-cycle management efforts; failure to update
documentation when conditions change; insufficient staff to
attend to task efforts; failure to train IT staff on life-cycle
management processes (including equipment removal and
destruction, data deletion)
Multiple redundant resources in place (inefficient and costly
for the institution); institution unaware where its IT resources
and systems are located; institution unaware how its data are
transmitted or where its data are; institution unaware if IT
resources or institutional data are held by third parties;
institution unable to ensure its own or third-party adherence to
compliance requirements; inability to support, prioritize, or
understand criticality of systems for business continuity
purposes; financial losses due to replacement of misplaced
systems; regulatory fines for improper disposal of resources
and/or data (data breach or toxic waste disposal); institutional
reputation loss

27 Failure to document institutional IT infrastructure architecture
and to implement change-control processes (including
creating, maintaining, and revising baseline IT system
configurations)
Lack of senior management support; complexity of IT
processes and systems; lack of funding and tools to support
change-control processes and efforts; failure to update
documentation when conditions change; insufficient staff to
attend to task efforts; failure to train IT staff on change-control
processes
Multiple redundant resources in place (inefficient and costly
for the institution); inability to support, prioritize, or understand
criticality of systems for business continuity purposes; inability
to provide a baseline configuration of successful IT
operations; failure to understand the effect of IT configuration
changes on business system processes; multiple departments
making uncoordinated changes to IT systems; financial losses
due to duplicative changes and required rollbacks
28 Institutional IT communication and data flows not documented Lack of senior management support; complexity of IT
processes and systems; lack of funding and tools for mapping
efforts; failure to update maps/data flows when conditions
change; insufficient staff to attend to task efforts
29 Licenses and permits for institutional IT systems and software Lack of senior management support; complexity of IT
not maintained infrastructure and software licensing requirements; lack of
funding and tools for licensing management; insufficient staff
to attend to acquisition efforts; failure to train IT staff on the
need for software/hardware licenses
30 No process for ensuring institutional data remain complete, Lack of senior management support; complexity of business
accurate, and valid during input, update, and storage processes and automated systems; failure to ensure staff
understand roles and responsibilities; failure to train staff on
proper data entry; failure to incorporate automated processes
to ensure valid data entry; failure to log data changes
31 Audit logs on critical IT systems and processes not Lack of senior management support; complexity of IT Unable to understand and recreate anomalies experienced in
maintained infrastructure; lack of funding and tools for log management; IT systems; unable to perform forensic analysis
lack of space to store logs; lack of tools to review and manage
log entries; insufficient staff to attend to log management;
32 Too few IT staff to ensure continuous IT system operations Inability to recruit and retain sufficient numbers of competent
IT staff needed to support enterprise IT operations; failure to
maintain the staffing levels or skill sets needed to support
enterprise IT operations; any personal situation that renders
personnel unable to attend to institutional duties (military
service, family obligations, natural disaster, death); single
expert in field separates from employment with institution;
vendor personnel unavailable under similar scenarios as
presented above; inability to be physically present on campus
due to a natural disaster or civil disturbance
33 Users (e.g., students, faculty, staff, administrators, third Lack of senior management support; complex regulatory
parties) do not follow legal and regulatory requirements environments impacting higher education IT systems and data
regarding the operation/use of IT systems and the use of (e.g., FERPA, HIPAA, GLBA, PCI, accessibility, export
institutional data controls, etc.); lack of funding for training; lack of user training
Multiple redundant services/communication flows in place
(inefficient and costly for the institution); institution unaware
how its data are transmitted or where its data are; institution
unaware if institutional data are held by third parties;
institution unable to ensure its own or third-party adherence to
compliance requirements; inability to support, prioritize, or
understand criticality of systems for business continuity
purposes
Operation of IT resources and software in a manner that
violates contractual terms; institution subject to contract
liability; institutional reputation loss; poor
perception/reputation of IT
Failure of business, academic, or research processes;
inability to execute on institutional mission; costs of
outsourcing functions for a period of time; costs to recover
data; regulatory implications for failure to meet legal or
contractual requirements; loss of integrity in automated
systems
Inability to enhance, improve, or increase the provision of
enterprise IT operations; unable to operate/recover systems
and data to support to support business, academic, and
research processes and activities; overreliance on key staff;
low employee morale; increased employee turnover; failure to
support institutional mission
Improper use of university IT systems and institutional data;
failure of users to protect critical institutional data when using
IT resources (leading to data breach); institution subject to
regulatory violations and fines; institutional reputation loss
34 Users (e.g., students, faculty, staff, administrators, third Lack of senior management support; complex university Improper use of university IT systems and institutional data;
parties) do not follow university policies regarding the policies impacting higher education IT systems and data; lack failure of users to protect critical institutional data when using
operation/use of IT systems and the use of institutional data of funding for training; lack of user training IT resources (leading to data breach); institution subject to
regulatory violations and fines; institutional reputation loss
Additional Notes Risk Citation
COBIT 5, EDM 1.01-1.03, EDM 2.01 (COBIT Risk Scenario Project Management - Best practices for IT Professionals - R. Murch, 2001
Category 1, 10)

COBIT 5, EDM 1.01, APO 1.01, APO 7.01, APO 7.02 (COBIT
Risk Scenario Category 4, 10)

COBIT 5, APO 1.01, 7.01 (COBIT Risk Scenario Category 4)

COBIT 5, EDM 1.01, EDM 1.02, APO 7.01 (COBIT Risk

Scenario Category 4, 10)

COBIT 5, EDM 2.01, APO 5.03, APO 6.02, BAI 1.03 ISACA Publication, "Risk Scenarios, using COBIT 5 for Risk."

NIST Cybersecurity Framework; ISO/IEC 27001:2013 A.8.2.1;

NIST SP 800-53 Rev. 4 CP-2, RA-2, SA-14
COBIT 5, BAI 2.01 (COBIT Risk Scenario Category 6)
COBIT 5, APO 4.03-4.06 (COBIT Rick Scenario Category 7, 20) Association of College and University Auditors (ACUA), Risk Dictionary (used with
permission)

COBIT 5, EDM 2.01, APO 1.04 (COBIT Risk Scenario Category Association of College and University Auditors (ACUA), Risk Dictionary (used with
1, 10) permission)

COBIT 5, BAI 2.01, 3.01-3.05 (COBIT Risk Scenario Category 9) ISACA Publication, "Risk Scenarios, using COBIT 5 for Risk."

COBIT 5, BAI 1.02-1.13 (COBIT Risk Scenario Category 3) Project Management - Best practices for IT Professionals - R. Murch, 2001

COBIT 5, EDM 2.01-2.03, APO 6.03, BAI 3.04 (COBIT Risk Association of College and University Auditors (ACUA), Risk Dictionary (used with
Scenario Category 3) permission)

COBIT 5,BAI 4.05 (COBIT Risk Scenario Category 6) Association of College and University Auditors (ACUA), Risk Dictionary (used with
permission)
COBIT 5, DSS 6.04-6.05 (COBIT Risk Scenario Category 6) Association of College and University Auditors (ACUA), Risk Dictionary (used with
permission)

COBIT 5, APO 1.03, APO 1.08, DSS 5.01, DSS 5.07 (COBIT ISACA Publication, "Risk Scenarios, using COBIT 5 for Risk."
Risk Scenario Category 15, 16)

COBIT 5, DSS 1.01 (COBIT Risk Scenario Category 6, 7, 8, 9)

COBIT 5, BAI 3.04, APO 10.02-10.05 (COBIT Risk Scenario

Category 11)
See also Cloud Controls Matrix Working Group, Cloud Controls
Matrix, https://cloudsecurityalliance.org/group/cloud-controls-
matrix/

NIST Cybersecurity Framework;

ISO/IEC 27001:2013 A.13.1.1, A.13.2.1;
COBIT 5, DSS 5.02 (COBIT Risk Scenario Category 16)
NIST SP 800-53 Rev. 4 AC-4, AC-17, AC-18, CP-8, SC-7
COBIT 5, DSS 1.04-1.05; DSS 4.03-4.04; DCC 5.05 (COBIT
Risk Scenario Category 5, 14, 18, 19)

NIST Cybersecurity Framework;

ISO/IEC 27001:2013 A.17.1.3;
NIST SP 800-53 Rev.4 CP-4, IR-3, PM-14;
COBIT 5, DSS 4.03-4.04 (COBIT Risk Scenario Category 5, 13)

COBIT 5, BAI 3.04, APO 10.02-10.05 (COBIT Risk Scenario

Category 11)
See also Cloud Controls Matrix Working Group, Cloud Controls
Matrix, https://cloudsecurityalliance.org/group/cloud-controls-
matrix/

NIST Cybersecurity Framework;

ISO/IEC 27001:2013 A.5.1.1;
NIST SP 800-53 Rev. 4 -1 controls from all families

COBIT 5, MEA 3.01-3.03; DSS 5.02 (Risk Scenario Category 6, Association of College and University Auditors (ACUA), Risk Dictionary (used with
12) permission)
COBIT 5, APO 13.01-13.03, DSS 5.02, DSS 5.07 (COBIT Risk Association of College and University Auditors (ACUA), Risk Dictionary (used with
Scenario Category 15, 16) permission)

NIST Cybersecurity Framework; ISO/IEC 27001:2013 A.9.1.2;

NIST SP 800-53 Rev. 4 AC-3, CM-7
COBIT 5, DSS 1.04-1.05; DSS 4.03-4.04; DCC 5.05 (COBIT
Risk Scenario Category 5, 14)

COBIT 5, DSS 1.04-1.05; DSS 4.03-4.04; DCC 5.05 (COBIT Association of College and University Auditors (ACUA), Risk Dictionary (used with
Risk Scenario Category 5, 14, 18, 19) permission)

NIST Cybersecurity Framework;

ISO/IEC 27001:2013 A.8.2.3, A.8.3.1, A.8.3.2, A.8.3.3, A.11.2.7;
NIST SP 800-53 Rev. 4 CM-8, MP-6, PE-16
COBIT 5, APO 1.01, BAI 1.01, BAI 1.02-1.13, BAI 4.01-4.05
(COBIT Risk Scenario Category 2, 8, 9)

NIST Cybersecurity Framework;

ISO/IEC 27001:2013 A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2,
A.14.2.3, A.14.2.4;
NIST SP 800-53 Rev. 4 CM-3, CM-4, SA-10;
COBIT 5, BAI 4.04-4.05, BAI 10.04-10.05 (COBIT Risk Scenario
Category 8)
NIST Cybersecurity Framework;
ISO/IEC 27001:2013 A.13.2.1;
NIST SP 800-53 Rev. 4 AC-4, CA-3, CA-9, PL-8

COBIT 5, DSS 6.02 (COBIT Risk Scenario Category 5) Association of College and University Auditors (ACUA), Risk Dictionary (used with
permission)

COBIT 5, DSS 5.07, DSS 6.05 (COBIT Risk Scenario Category

6, 15)

COBIT 5, APO 7.01-7.05 (COBIT Risk Scenario Category 4 & 5)

COBIT 5, MEA 3.01-3.03; DSS 5.02, APO 1.01, APO 7.01-7.05

(Risk Scenario Category 6, 12, 17)
ISACA, Using COBIT 5 for Risk, "Risk Scenarios," and ISACA,
COBIT 5, "Enabling Processes."
NIST Cybersecurity Framework;
ISO/IEC 27001:2013 A.8.2.3, A.8.3.1, A.8.3.2, A.11.2.7;
NIST SP 800-53 Rev. 4 MP-6;
COBIT 5, MEA 3.01-3.03; DSS 5.02, APO 1.01, APO 7.01-7.05
(Risk Scenario Category 6, 12, 17);
ISACA, Using COBIT 5 for Risk, "Risk Scenarios," and ISACA,
COBIT 5, "Enabling Processes."
 IT
e/
ic
e rv
c l Se

l
na
ce

l
na
cy /
fe e m

io
n

al

c
tio
ia

at

gi
ci

Li yst
pl

ra

ut

te
n
om

na

pe

ra
ep
S
ID No. Risk Statement

St
Fi

O
C

R
Critical institutional business and academic data (e.g., admissions, business operations, research, etc.) not available
15 when needed X X X X X
IT assets (e.g., hardware, devices, data, and software) and systems not prioritized based on their classification, criticality,
6 and institutional value X X X X
Failure to designate leadership (e.g., an individual or individuals) for institutional oversight and strategic direction for IT
2 operations X X X
Failure to designate leadership (e.g., an individual or individuals) for institutional oversight and strategic direction for
3 information security activities X X X
No coordinated vetting and review process for third-party or cloud-computing services used to store, process, or transmit
20 institutional data X X X
Failure to create and maintain sufficient and current policies and standards to protect the confidentiality, integrity, and
21 availability of institutional data and IT resources (e.g., hardware, devices, data, and software) X X X
Data breach or leak of sensitive information (e.g., academic, business, or research data)
22 X X X
Users (e.g., students, faculty, staff, administrators, third parties) do not follow legal and regulatory requirements regarding
33 the operation/use of IT systems and the use of institutional data X X X
Users (e.g., students, faculty, staff, administrators, third parties) do not follow university policies regarding the
34 operation/use of IT systems and the use of institutional data X X X
Licenses and permits for institutional IT systems and software not maintained
29 X X
Failure to make adequate plans for continuation of institutional business processes (e.g., admissions, academic,
19 operational activities, and research) in the event of an extended IT outage X X X
Relevant stakeholders not included in important IT investment decisions (e.g., priorities, technologies, new applications)
5 X X
Lack of shared understanding by IT and business units that affects IT service delivery and projects
9 X X
IT projects not managed in terms of budget, scheduling, scope, priority, and delivery
10 X X
No process for identifying and allocating costs attributable to IT services
11 X X
IT assets (e.g., hardware, devices, data, and software), systems, and services outdated, do not support institutional needs
7 (admissions, academic, business operations, research, etc.) X X
No process for measuring and managing IT performance
12 X X
No process for managing IT problems to ensure they are adequately resolved or for investigating causes to prevent
13 recurrence X X
Loss of access—for an unacceptable period of time—to IT systems and services hosted by another organization
16 X X
IT communications and networks not protected from complete or intermittent failure
17 X X
Areas housing critical IT assets (e.g., hardware, devices, data, and software) or services physically inaccessible,
18 inoperable, or unsuitable for human access X X
Inadequate cyber security incident or event response
23 X X
 Failure to control logical access and incorporate principles of least functionality to IT resources (e.g., hardware, devices,
24 data, and software) and systems X X
Failure to control physical access to data centers/facilities and areas housing critical IT resources (e.g., hardware,
25 devices, data, and software) and systems X X
Failure to document institutional IT infrastructure architecture and to implement change-control processes (including
27 creating, maintaining, and revising baseline IT system configurations) X X
Institutional IT communication and data flows not documented
28 X X
No process for ensuring institutional data remain complete, accurate, and valid during input, update, and storage
30 X X
Audit logs on critical IT systems and processes not maintained
31 X X
Too few IT staff to ensure continuous IT system operations
32 X X
Incorrect information on public-facing institutional resources (e.g., website, social media streams)
14 X X
No succession plan for key institutional IT leaders (e.g., CIO, CISO, CTO, CPO, etc.)
4 X
IT management aims and directions not communicated to critical user areas
8 X
Failure to follow organized life-cycle management practices (development, acquisition, use, transfer, repair, replacement,
26 destruction) for institutional IT resources and systems X
IT governance and priorities not aligned with institutional priorities
1
 c
gi
te
ra

Notes
St

X
X

X
 y
og

&
g

s
ol

&
in

ty
t
hn

ut

en
re

te

ui
es

rit
p

tu
ec
T

re n

s ys
em

tin
m
ic

cu
fI

E ctu atio

uc
lT

us on S
rv

at s Co
to

on
ag
e
s str
rs
Se

es na

n
S
ru ic
en

C
an
ic ch

te

s t un

ic ra

ic ti
ic o
rt

en

pl m a
m

io

s
i

rv a r

M
rv Inf
rv a t

fra m
po

es
i
at
e

t
Se ese
Se uc

C
e

a
y
In om

Ap for
ag

Se nt.

rm

in
tit
Su

Ed

a
an

en

In
R

fo
ID No. Risk Statement

IT
M

In

Id
D

B
Users (e.g., students, faculty, staff, administrators, third parties) do not follow legal and
regulatory requirements regarding the operation/use of IT systems and the use of
33 institutional data X X

Users (e.g., students, faculty, staff, administrators, third parties) do not follow university
34 policies regarding the operation/use of IT systems and the use of institutional data X X

8 IT management aims and directions not communicated to critical user areas X X

Lack of shared understanding by IT and business units that affects IT service delivery
9 and projects X X

32 Too few IT staff to ensure continuous IT system operations X X

Failure to designate leadership (e.g., an individual or individuals) for institutional

3 oversight and strategic direction for information security activities X

Failure to designate leadership (e.g., an individual or individuals) for institutional

2 oversight and strategic direction for IT operations X

IT assets (e.g., hardware, devices, data, and software), systems, and services outdated,
do not support institutional needs (admissions, academic, business operations,
7 research, etc.) X

1 IT governance and priorities not aligned with institutional priorities X

10 IT projects not managed in terms of budget, scheduling, scope, priority, and delivery X

29 Licenses and permits for institutional IT systems and software not maintained X

11 No process for identifying and allocating costs attributable to IT services X

 4 No succession plan for key institutional IT leaders (e.g., CIO, CISO, CTO, CPO, etc.) X

Relevant stakeholders not included in important IT investment decisions (e.g., priorities,

5 technologies, new applications) X

No coordinated vetting and review process for third-party or cloud-computing services

20 used to store, process, or transmit institutional data X X

31 Audit logs on critical IT systems and processes not maintained X X

No process for ensuring institutional data remain complete, accurate, and valid during
30 input, update, and storage X X

No process for managing IT problems to ensure they are adequately resolved or for
13 investigating causes to prevent recurrence X X

28 Institutional IT communication and data flows not documented X X

IT assets (e.g., hardware, devices, data, and software) and systems not prioritized
6 based on their classification, criticality, and institutional value X X

Failure to follow organized life-cycle management practices (development, acquisition,

26 use, transfer, repair, replacement, destruction) for institutional IT resources and systems X

12 No process for measuring and managing IT performance X

Loss of access—for an unacceptable period of time—to IT systems and services hosted

16 by another organization X X X X X X

Areas housing critical IT assets (e.g., hardware, devices, data, and software) or services
18 physically inaccessible, inoperable, or unsuitable for human access X X

17 IT communications and networks not protected from complete or intermittent failure X X

Incorrect information on public-facing institutional resources (e.g., website, social media

14 streams) X X
 Critical institutional business and academic data (e.g., admissions, business operations,
15 research, etc.) not available when needed X

22 Data breach or leak of sensitive information (e.g., academic, business, or research data) X

Failure to control physical access to data centers/facilities and areas housing critical IT
25 resources (e.g., hardware, devices, data, and software) and systems X

Failure to create and maintain sufficient and current policies and standards to protect
the confidentiality, integrity, and availability of institutional data and IT resources (e.g.,
21 hardware, devices, data, and software) X

23 Inadequate cyber security incident or event response X

Failure to control logical access and incorporate principles of least functionality to IT

24 resources (e.g., hardware, devices, data, and software) and systems X

Failure to document institutional IT infrastructure architecture and to implement change-

control processes (including creating, maintaining, and revising baseline IT system
27 configurations) X X

Failure to make adequate plans for continuation of institutional business processes

(e.g., admissions, academic, operational activities, and research) in the event of an
19 extended IT outage X
Notes
ID No. Risk Statement Risk Causes Risk Impacts
1 IT governance and priorities not aligned with institutional IT failure to understand institutional strategy; lack of Poor governance of enterprise IT; inability to use IT to
priorities institutional support for IT operations strategically support institutional mission (admissions,
research, institutional operations, outreach to the community);
inability to enhance, improve, or increase the provision of
enterprise IT operations; inefficiencies and duplication of
effort; poor perception/reputation of enterprise IT

2 Failure to designate leadership (e.g., an individual or
individuals) for institutional oversight and strategic direction
for IT operations
Lack of institutional support for IT operations
Poor governance of enterprise IT; inability to use IT to
strategically support institutional mission (admissions,
research, institutional operations, outreach to the community);
inability to enhance, improve, or increase the provision of
enterprise IT operations; creation of fiefdoms leading to
inefficiencies and duplication of effort

3 Failure to designate leadership (e.g., an individual or
individuals) for institutional oversight and strategic direction
for information security activities
Lack of institutional support for IT and information security
operations
Poor governance of enterprise information security efforts;
inability to enhance, improve, or increase the effectiveness of
institutional information security; data breaches; failure to
meet regulatory compliance requirements; regulatory fines
and expenses

4 No succession plan for key institutional IT leaders (e.g., CIO, Lack of institutional support for IT operations; human nature Leadership void in the event of separation of a key IT leader
CISO, CTO, CPO, etc.) not to plan for succession activities; lack of qualified internal from the institution
staff for succession planning

5 Relevant stakeholders not included in important IT investment Lack of senior management support; stakeholders fail to Uses of university IT systems that contravene good
decisions (e.g., priorities, technologies, new applications) understand IT investment decisions (or provision of IT investment decision making; poor governance of enterprise
services in general); inability to identify stakeholders IT; inability to use IT to strategically support institutional
mission (admissions, research, institutional operations,
outreach to the community); inability to enhance, improve, or
increase the provision of enterprise IT operations;
inefficiencies and duplication of effort; increased cost for
providing IT services; poor perception/reputation of enterprise
IT
6 IT assets (e.g., hardware, devices, data, and software) and Lack of senior management support; complexity of business Multiple redundant resources in place (inefficient and costly
systems not prioritized based on their classification, criticality, processes and automated systems; lack of funding and tools for the institution); lack of institutional knowledge about where
and institutional value for prioritization efforts; failure to update prioritization when IT resources, systems, and data are located; inability to
conditions change; stakeholder failure to agree on resource implement business continuity plans to support institutional
prioritization operations; financial losses due to replacement of nonpriority
systems; inability to execute strategic projects
 7 IT assets (e.g., hardware, devices, data, and software),
systems, and services outdated, do not support institutional
needs (admissions, academic, business operations, research,
etc.)
8 IT management aims and directions not communicated to
critical user areas
9 Lack of shared understanding by IT and business units that
affects IT service delivery and projects
10 IT projects not managed in terms of budget, scheduling,
scope, priority, and delivery
11 No process for identifying and allocating costs attributable to
IT services
12 No process for measuring and managing IT performance
Complex and inflexible institutional enterprise IT architecture
(not scalable for current needs); failure to adopt new IT
infrastructure and/or services in a timely manner to support
institutional needs
Lack of senior management support; failure to understand IT
management priorities; failure to prioritize communications to
critical user areas; lack of multiple communication channels
(e.g., e-mail, print media, other electronic media) to convey
information to user areas; failure of users to pay attention
Lack of senior management support; failure of IT staff to
understand business processes and how IT services can
benefit those process; failure of business staff to understand
IT processes; inability to identify and document business
processes; mutual disrespect
Lack of senior management support; complexity of IT
systems; complexity of cross-institutional IT projects; failure to
assign a project manager or implement project management
methodologies when engaging in IT projects; failure to inform
stakeholders about project changes
Lack of senior management support; complexity of IT
systems; complexity of institutional cost-allocation process;
inability to calculate TCO of providing IT services; failure to
account for indirect costs such as software license and
upgrade fees
Lack of senior management support; complexity of IT
infrastructure; lack of funding and tools for performance
management or metrics; insufficient staff to attend to
performance management; failure to inform institutional
audience about performance management
Poor governance of enterprise IT; inability to use IT to
strategically support institutional mission (admissions,
research, institutional operations, outreach to the community);
inability to provide needed business, academic, research
services; inability to enhance, improve, or increase the
provision of enterprise IT operations; increased cost for
providing IT services; failure to support user IT needs; poor
perception/reputation of enterprise IT
Uses of university IT systems that contravene management
aims; poor governance of enterprise IT; inability to use IT to
strategically support institutional mission (admissions,
research, institutional operations, outreach to the community);
inability to enhance, improve, or increase the provision of
enterprise IT operations; inefficiencies and duplication of
effort; poor perception/reputation of enterprise IT
Inability to use IT to strategically support institutional mission
(admissions, research, institutional operations, outreach to
the community); inability to enhance, improve, or increase the
provision of enterprise IT operations to support business,
academic, or research processes; increased cost for
providing IT services; failure of business process
reengineering; distrust between organizational units
Poor governance of enterprise IT; inability to use IT to
strategically support institutional mission (admissions,
research, institutional operations, outreach to the community);
inability to enhance, improve, or increase the provision of
enterprise IT operations; increased cost for providing IT
services; failure of IT projects; poor perception/reputation of
enterprise IT
Poor governance of enterprise IT; inability to use IT to
strategically support institutional mission (admissions,
research, institutional operations, outreach to the community);
inability to enhance, improve, or increase the provision of
enterprise IT operations; increased cost for providing IT
services
Poor governance of enterprise IT; inability to use IT to
strategically support institutional mission (admissions,
research, institutional operations, outreach to the community);
inability to enhance, improve, or increase the provision of
enterprise IT operations; increased cost for providing IT
services
13 No process for managing IT problems to ensure they are
adequately resolved or for investigating causes to prevent
recurrence
14 Incorrect information on public-facing institutional resources
(e.g., website, social media streams)
15 Critical institutional business and academic data (e.g.,
admissions, business operations, research, etc.) not available destroyed; equipment lost/misplaced/stolen; lack of adequate
when needed
16 Loss of access—for an unacceptable period of time—to IT
systems and services hosted by another organization
17 IT communications and networks not protected from complete Internet or campus network failure; hardware failure; software
or intermittent failure
Lack of senior management support; complexity of IT
infrastructure; lack of funding and tools for service
management; insufficient staff to attend to service
management; failure to inform institutional audience about
support processes; insufficiently skilled staff to investigate and
resolve problems
Information on public websites out of date; internal posting
mistakes made by staff; intentional or unintentional vandalism resource costs to repair website; institutional reputation loss;
Hardware failure; software failure; data deleted; facility
backups; lack of source documents or input files; data on
backups corrupted; backups unavailable (e.g., lost, stolen,
missing); failure to make appropriate arrangements with
vendors to provide redundant or support services; lack of
understanding recovery point objective (RPO—how much
data can be lost and recreated); failure to conduct, maintain,
and periodically test backups
Internet or campus network failure; hardware failure; software
failure; data deleted; facility destroyed; equipment
lost/misplaced/stolen (can be on the part of vendor or on
institutional systems that interact with vendor systems); failure
of authentication systems (vendor or institution); failure to
make appropriate arrangements with vendors to provide
redundant or support services; failure to develop and update
business continuity strategies; failure to test business
continuity plans; establishing unrealistic recovery time
objectives (RTOs); lack of understanding of specific business
objectives and critical processes
failure; facilities destroyed; equipment lost/misplaced/stolen;
intentional or unintentional vandalism; lack of redundant
systems or IT resources; lack of funding to support
redundancy; failure to develop and update business continuity
strategies; failure to test business continuity plans
Unable to address user problems in IT systems in a reliable
manner; inefficient processing of support tasks (failure to gain
efficiencies by tracking similar issues); inability to identify
recurring issues; inability to prioritize support requisitions;
failure to support business and academic processes; poor
perception/reputation of IT
Institutional website unavailable for a period of time; staff and
poor perception/reputation of IT
Failure of business processes (e.g., payroll, tax, HR
functions); inability to execute on institutional mission; inability
to participate in research activities; costs of outsourcing
functions for a period of time; costs to recover data; regulatory
implications for failure to meet legal or contractual
requirements; institutional reputation loss; poor
perception/reputation of IT
Failure of business, academic, or research processes;
inability to execute on institutional mission; costs of
outsourcing functions for a period of time; costs to recover
data; regulatory implications for failure to meet legal or
contractual requirements; institutional reputation loss; poor
perception/reputation of IT
Loss of communications within and beyond campus network;
failure of IT services; failure of emergency notification
services; institutional reputation loss; poor
perception/reputation of IT
18 Areas housing critical IT assets (e.g., hardware, devices, data, Smoke, biological or chemical agents, asbestos, other IT personnel unable to access an area; emergency
and software) or services physically inaccessible, inoperable, hazards; lock failures; intentional or unintentional vandalism; responders unable to access an area; unauthorized personnel
or unsuitable for human access natural disaster damage; access to facility not controlled possibly able to access the area; IT systems disabled or
tampered with; failure of IT systems; theft of critical IT
systems; theft of institutional data; unable to bring IT or other
critical systems back online; destruction of backups of
software, configurations, data, or logs

19 Failure to make adequate plans for continuation of
institutional business processes (e.g., admissions, academic,
operational activities, and research) in the event of an
extended IT outage
Hardware failure; software failure; data deleted; facility Unable to recover systems and data to support business,
destroyed; equipment lost/misplaced/stolen; lack of senior academic, and research processes and activities in a timely
management support; complexity of business processes and manner; staff unable to understand roles/responsibilities; staff
automated systems; lack of funding and tools to support and resource expense to return to operations; failure to
continuity planning efforts; failure to update business support institutional mission; institutional reputation loss; poor
continuity strategies; failure to test business continuity plans; perception/reputation of IT
failure to ensure staff understand roles and responsibilities;
failure to incorporate lessons learned into strategies; failure to
address all phases of business continuity; establishing
unrealistic recovery time objectives (RTOs); lack of
understanding of specific business objectives and critical
processes; lack of prioritization of critical business and IT
processes; failure to make appropriate arrangements with
vendors to provide redundant or support services

20 No coordinated vetting and review process for third-party or
cloud-computing services used to store, process, or transmit
institutional data
Lack of senior management support; lack of communication of Multiple redundant services in place (inefficient and costly for
central vetting process to staff/employees; failure to the institution); institution unaware who its business partners
understand the need to protect institutional data are; institution unaware if institutional data are held by third
parties; institution unable to ensure that third parties are
following compliance requirements

21 Failure to create and maintain sufficient and current policies
and standards to protect the confidentiality, integrity, and
availability of institutional data and IT resources (e.g.,
hardware, devices, data, and software)
Lack of senior management support; failure to understand Improper use of university IT systems and institutional data;
information security concepts; lack of funding to support policy failure of users to protect critical institutional data when using
development activities; lack of funding for training; lack of user IT resources (leading to data breach); institution subject to
training regulatory violations and fines; institutional reputation loss;
poor perception/reputation of IT

22 Data breach or leak of sensitive information (e.g., academic,
business, or research data)
Lack of senior management support; complex regulatory
environments impacting higher education IT systems and data
(e.g., FERPA, HIPAA, GLBA, PCI, accessibility, export
controls, etc.); complexity of IT systems, infrastructure, and
services; lack of funding for data handling training; lack of
user training; intentional user malfeasance; unintentional user
error; hacking or infiltration by third parties
Institution subject to regulatory violations and fines; costs of
breach notification; costs of redress for individuals; loss of
alumni donations; loss of research data; costs to mitigate
underlying breach event; institutional reputation loss; poor
perception/reputation of IT
23 Inadequate cyber security incident or event response Lack of senior management support; complexity of business
processes and automated systems; lack of funding and tools
to support security incident response; failure to update
incident response strategies; failure to test incident response
plans; lack of staff with incident response expertise
Unable to recover systems and data to support business,
academic, and research processes and activities in a timely
manner; staff and resource expense to return to operations
following a security incident; unable to assist in legal
investigations related to an incident; institutional reputation
loss; poor perception/reputation of IT

24 Failure to control logical access and incorporate principles of Failure to use authentication systems; failure of authentication
least functionality to IT resources (e.g., hardware, devices, systems; authentication systems easily disabled; giving user
data, and software) and systems access to more systems and assets than is needed to
complete staff tasks; failure to remove access when user
separates from the institution or changes job duties; lack of
staff with identity management expertise
Unauthorized access to IT systems; IT systems disabled or
tampered with; failure of IT systems; theft of critical IT
systems; theft of institutional data; users mistakenly given
more system access than is needed to complete job duties;
inability to maintain the confidentiality of data in institutional
systems

25 Failure to control physical access to data centers/facilities and Failure to use physical locks; failure of physical locks; physical Unauthorized access to facilities or IT systems; IT systems
areas housing critical IT resources (e.g., hardware, devices, locks easily disabled; failure to use authentication systems; disabled or tampered with; failure of IT systems; theft of
data, and software) and systems failure of authentication systems; authentication systems critical IT systems; theft of institutional data
easily disabled

26 Failure to follow organized life-cycle management practices
(development, acquisition, use, transfer, repair, replacement,
destruction) for institutional IT resources and systems
Lack of senior management support; complexity of IT
processes and systems; lack of funding and tools to support
life-cycle management efforts; failure to update
documentation when conditions change; insufficient staff to
attend to task efforts; failure to train IT staff on life-cycle
management processes (including equipment removal and
destruction, data deletion)
Multiple redundant resources in place (inefficient and costly
for the institution); institution unaware where its IT resources
and systems are located; institution unaware how its data are
transmitted or where its data are; institution unaware if IT
resources or institutional data are held by third parties;
institution unable to ensure its own or third-party adherence to
compliance requirements; inability to support, prioritize, or
understand criticality of systems for business continuity
purposes; financial losses due to replacement of misplaced
systems; regulatory fines for improper disposal of resources
and/or data (data breach or toxic waste disposal); institutional
reputation loss

27 Failure to document institutional IT infrastructure architecture
and to implement change-control processes (including
creating, maintaining, and revising baseline IT system
configurations)
Lack of senior management support; complexity of IT
processes and systems; lack of funding and tools to support
change-control processes and efforts; failure to update
documentation when conditions change; insufficient staff to
attend to task efforts; failure to train IT staff on change-control
processes
Multiple redundant resources in place (inefficient and costly
for the institution); inability to support, prioritize, or understand
criticality of systems for business continuity purposes; inability
to provide a baseline configuration of successful IT
operations; failure to understand the effect of IT configuration
changes on business system processes; multiple departments
making uncoordinated changes to IT systems; financial losses
due to duplicative changes and required rollbacks
28 Institutional IT communication and data flows not documented Lack of senior management support; complexity of IT
processes and systems; lack of funding and tools for mapping
efforts; failure to update maps/data flows when conditions
change; insufficient staff to attend to task efforts
29 Licenses and permits for institutional IT systems and software Lack of senior management support; complexity of IT
not maintained infrastructure and software licensing requirements; lack of
funding and tools for licensing management; insufficient staff
to attend to acquisition efforts; failure to train IT staff on the
need for software/hardware licenses
30 No process for ensuring institutional data remain complete, Lack of senior management support; complexity of business
accurate, and valid during input, update, and storage processes and automated systems; failure to ensure staff
understand roles and responsibilities; failure to train staff on
proper data entry; failure to incorporate automated processes
to ensure valid data entry; failure to log data changes
31 Audit logs on critical IT systems and processes not Lack of senior management support; complexity of IT Unable to understand and recreate anomalies experienced in
maintained infrastructure; lack of funding and tools for log management; IT systems; unable to perform forensic analysis
lack of space to store logs; lack of tools to review and manage
log entries; insufficient staff to attend to log management;
32 Too few IT staff to ensure continuous IT system operations Inability to recruit and retain sufficient numbers of competent
IT staff needed to support enterprise IT operations; failure to
maintain the staffing levels or skill sets needed to support
enterprise IT operations; any personal situation that renders
personnel unable to attend to institutional duties (military
service, family obligations, natural disaster, death); single
expert in field separates from employment with institution;
vendor personnel unavailable under similar scenarios as
presented above; inability to be physically present on campus
due to a natural disaster or civil disturbance
33 Users (e.g., students, faculty, staff, administrators, third Lack of senior management support; complex regulatory
parties) do not follow legal and regulatory requirements environments impacting higher education IT systems and data
regarding the operation/use of IT systems and the use of (e.g., FERPA, HIPAA, GLBA, PCI, accessibility, export
institutional data controls, etc.); lack of funding for training; lack of user training
Multiple redundant services/communication flows in place
(inefficient and costly for the institution); institution unaware
how its data are transmitted or where its data are; institution
unaware if institutional data are held by third parties;
institution unable to ensure its own or third-party adherence to
compliance requirements; inability to support, prioritize, or
understand criticality of systems for business continuity
purposes
Operation of IT resources and software in a manner that
violates contractual terms; institution subject to contract
liability; institutional reputation loss; poor
perception/reputation of IT
Failure of business, academic, or research processes;
inability to execute on institutional mission; costs of
outsourcing functions for a period of time; costs to recover
data; regulatory implications for failure to meet legal or
contractual requirements; loss of integrity in automated
systems
Inability to enhance, improve, or increase the provision of
enterprise IT operations; unable to operate/recover systems
and data to support to support business, academic, and
research processes and activities; overreliance on key staff;
low employee morale; increased employee turnover; failure to
support institutional mission
Improper use of university IT systems and institutional data;
failure of users to protect critical institutional data when using
IT resources (leading to data breach); institution subject to
regulatory violations and fines; institutional reputation loss
34 Users (e.g., students, faculty, staff, administrators, third Lack of senior management support; complex university Improper use of university IT systems and institutional data;
parties) do not follow university policies regarding the policies impacting higher education IT systems and data; lack failure of users to protect critical institutional data when using
operation/use of IT systems and the use of institutional data of funding for training; lack of user training IT resources (leading to data breach); institution subject to
regulatory violations and fines; institutional reputation loss
Likilhood Impact Velocity (Horizon) Score Notes
0

0
0

0
0

0
0

0
0

0
0

0
0
 Acknowledgments
 
The 2015 EDUCAUSE IT GRC Advisory Panel contributed their vision and significant talents to the conception, creation, and 
completion of the risk register:
Cathy  Bates, Associate Vice Chancellor and Chief Information Officer, Appalachian State University
Niraj Bhagat, Environmental Health & Safety and Information Systems Manager, Southern Methodist University
Michael Chapple, Senior Director for IT Service Delivery, University of Notre Dame
Mike Corn, Deputy Chief Information Officer, Brandeis University
Elias Eldayrie, Vice President and Chief Information Officer, University of Florida 
Merri Beth Lavagnino, Chief Risk Officer, Indiana University
Susie McCormick, Assistant Vice President for IT Budget and Administration, University of Virginia
Steve McDonald, General Counsel, Rhode Island School of Design
Peter Murray, Chief Information Officer and Vice President for Information Technology, University of Maryland, Baltimore
Gary Nimax, Assistant Vice President for Compliance and ERM, University of Virginia
Carol Rapps, Audit Manager, Information Systems, University of Texas, San Antonio
Marty Ringle, Chief Information Officer, Reed College
Cheryl Washington, Chief Information Security Officer, University of California, Davis
Madelyn Wessel, General Counsel, Virginia Commonwealth University
 
Many others donated their time and talents to this project. Contributors included individuals and members of several 
organizations: David Escalante, Boston College; the EDUCAUSE Higher Education Information Security Council (HEISC); the 
EDUCAUSE IT Accessibility Constituent Group; the National Association of College and University Attorneys (NACUA); the 
Association of College and University Auditors (ACUA); the University Risk Management and Insurance Association (URMIA); a
the National Association of College and University Business Officers (NACUBO). 
 
Special thanks go to the Association of College and University Auditors, which contributed IT risks from its Risk Dictionary to t
effort.   
 
EDUCAUSE staff members who contributed to this effort are Joanna Grama, Jon Lang, Susan Nesbitt, and Valerie Vogel.
the conception, creation, and 

ersity
thodist University

ginia

rsity of Maryland, Baltimore

and members of several 
Security Council (HEISC); the 
sity Attorneys (NACUA); the 
nsurance Association (URMIA); and 

risks from its Risk Dictionary to this 

Nesbitt, and Valerie Vogel.