Helping Units Improve Their Security

The worst cybersecurity position to be in is not knowing what you don’t know.

“Knowledge + Action = Power,“ is how Teresa Banks sums up her credo for the Information Security Risk Management Program she manages.  

Teresa and the rest of the Information Security Office Governance, Risk, and Compliance Team (ISO-GRC) use UASecure, an online application developed by former ISO employee Sonya Lowry.

Campus users of UASecure greatly appreciate the benefits it brings. 

UASecure leads a unit’s Information Security Risk Management Team through standard steps to identify risks and their potential impact. Then, the team works together to prioritize and treat the identified risks.

A large library of common cases makes it easy to choose factors that apply in a particular department.

Units first identify the business impacts that are most concerning in their environment (e.g., reduction in student enrollment or research opportunities), assess their current vulnerabilities, and then make risk-informed decisions on how to improve their security posture.

Risk management teams review their risk management projects annually to record changes from the previous years. FY21 was the first year with reassessments and, campus wide, 40% of security plan items had been resolved.

This process provides numerous benefits to the University:

• University and departmental leadership have greater visibility into their current risk, so that they can make strategic decisions on how to invest to reduce the risk.
• Purchasing cybersecurity insurance is easier. With this process in place, the University has been able to negotiate coverage against ransomware attacks.
• The University can show the State Auditor General that risk has been identified and mitigated.  

The security plans generated in UASecure provide a roadmap for campus units and central IT on where to invest resources to achieve risk reduction. Departments are identifying potential threats before they happen, and central IT has improved enterprise system security. All this makes it easier for the University to focus attention on the academic and research mission.

The ISO-GRC Team is available to help departments go through the Information Security Risk Management process. Find out more about the Information Security Risk Management Program on Confluence (VPN), or contact the team at iso-compliance@arizona.edu.