During the Spring of 2009, the Information Security Office (ISO)
conducted a short security risk assessment of administrative
units. We received 18 responses total.
Some units, due to the diverse nature of their business, elected
to complete the assessment multiple times, once per self-identified
sub-business-unit. This assessment only deals with risks and not
mitigating factors.
The results were The results were broken down to determine which units were affected by:
The survey results show that all of the units are affected, in some way, by the University's policy on private regulated data. In particular, all of the respondents reported that they used social security numbers internally. Given the prevalence of identity theft, this presents a significant risk to the University's administrative operations.
The next largest information risk was financial accounts numbers, including credit and debit card numbers. Half of the respondents indicated they handle financial account number data.
Half of the respondents indicated they were not using encryption technology (technological risk) to protect private regulated data
Finally, a wide range of respondents (25%-70%) indicated they were exposed to various types of process risk such as:
In terms of policy awareness, half of the respondents indicated they felt their employees were unaware of the UB's policy on private regulated data.