Reaching Others University at Buffalo - The State University of New York
Skip to Content

Security Risk Management Metrics

Hand stopping dominos from topplling over

During the Spring of 2009, the Information Security Office (ISO) conducted a short security risk assessment of administrative units.  We received 18 responses total.

Some units, due to the diverse nature of their business, elected to complete the assessment multiple times, once per self-identified sub-business-unit. This assessment only deals with risks and not mitigating factors.

Report Summary

The results were The results were broken down to determine which units were affected by:

Security Risk Concerning Regulated Private Data

Graph of units affected by Regulated Data Policy

The survey results show that all of the units are affected, in some way, by the University's policy on private regulated data. In particular, all of the respondents reported that they used social security numbers internally. Given the prevalence of identity theft, this presents a significant risk to the University's administrative operations.

The next largest information risk was financial accounts numbers, including credit and debit card numbers. Half of the respondents indicated they handle financial account number data.

Half of the respondents indicated they were not using encryption technology (technological risk) to protect private regulated data

Security Process Risks

Graph showing Units with Process Risks

Finally, a wide range of respondents (25%-70%) indicated they were exposed to various types of process risk such as:

  • incomplete information asset inventories
  • incomplete physical asset inventories
  • insecure disposal of information assets
  • insecure transmission of information assets
  • lack of restrictions on physical copies of information assets
  • incomplete disaster planning
  • lack of secure off-site backup of information assets

Security Awareness Risk

Graphs showing low awareness of security risks

In terms of policy awareness, half of the respondents indicated they felt their employees were unaware of the UB's policy on private regulated data.

Did This Page Answer Your Question?

Email, UBITName or phone number
Enter the letters or numbers you see below in the space provided. Click "Get a new challenge" if they are not readable.