Schedule of Risk Assessments for Information Security

Schedule of Risk Assessments for Information Security
February 2007
The goal of the information technology risk management process at Iowa State University is to protect
university information and university information systems from unacceptable risk. The need to perform a
systematic process of conducting a risk assessment is described in the IT Security Policy. This schedule
outlines the timing and responsibility of required periodic risk assessments under the direction of the IT
Security and Policies area. Other risk assessments may be conducted either at the discretion of the unit,
internal audit, or IT Security and Policies area. Tools for performing the risk assessment can be found at
Risk Assessment Tools and Documents for Information Security [link]
Critical Financial Functions
The departments in Business & Finance along with IT Services have identified these functions as critical to
the operation of the university. A formal risk assessment is required at least every three years. An updated
Business Impact Analysis and Risk Assessment for Information Resources is reviewed and filed by the
Director, IT Security and Policies.
Responsible Unit
Procurement and payment processing
Purchasing, Controller
includes purchasing, p-card,
employee travel reimbursements,
accounts payable (voucher payment)
Payroll processing
Cash handling
Accounting transaction processing & reconciliation
Financial reporting
University receivables
NACHA – The Electronic Payments Association
NACHA develops operating rules and business practices for the Automated Clearing House (ACH) Network
and for electronic payments in the areas of Internet commerce, electronic bill and invoice presentment and
payment (EBPP, EIPP), e-checks, financial electronic data interchange (EDI), international payments, and
electronic benefits transfer (EBT). Iowa State University Internal Audit conducts an annual risk assessment
based on the NACHA Operating Rules for ACH transactions originating from Web transactions.
Payment Card Industry Data Security Standard
The Payment Card Industry Data Security Standard (PCI) became effective June 30, 2005. The PCI applies
to any service provider that stores, processes or transmits cardholder data from the major credit card
provider. Currently this is VISA, MasterCard, Discover, and American Express. One of the requirements of a
service provider is to complete a self assessment form[link]. Iowa State University requires a self
assessment be completed and approved by the Treasurer and the Director, IT Security and Policies before
accepting credit card transactions. An updated self assessment is sent to the Treasurer and the Director, IT
Security and Policies annually.