Schedule of Risk Assessments for Information Security

February 2007

The goal of the information technology risk management process at Iowa State University is to protect university information and university information systems from unacceptable risk. The need to perform a systematic process of conducting a risk assessment is described in the IT Security Policy. This schedule outlines the timing and responsibility of required periodic risk assessments under the direction of the IT Security and Policies area. Other risk assessments may be conducted either at the discretion of the unit, internal audit, or IT Security and Policies area. Tools for performing the risk assessment can be found at Risk Assessment Tools and Documents for Information Security [link]

Critical Financial Functions The departments in Business & Finance along with IT Services have identified these functions as critical to the operation of the university. A formal risk assessment is required at least every three years. An updated Business Impact Analysis and Risk Assessment for Information Resources is reviewed and filed by the Director, IT Security and Policies. Function Responsible Unit Procurement and payment processing Purchasing, Controller includes purchasing, p-card, employee travel reimbursements, accounts payable (voucher payment) Payroll processing Controller Cash handling Treasurer Accounting transaction processing & reconciliation Controller Financial reporting Controller University receivables Treasurer FAMIS FP&M

NACHA – The Electronic Payments Association NACHA develops operating rules and business practices for the Automated Clearing House (ACH) Network and for electronic payments in the areas of Internet commerce, electronic bill and invoice presentment and payment (EBPP, EIPP), e-checks, financial electronic data interchange (EDI), international payments, and electronic benefits transfer (EBT). Iowa State University Internal Audit conducts an annual risk assessment based on the NACHA Operating Rules for ACH transactions originating from Web transactions.

Payment Card Industry Data Security Standard The Payment Card Industry Data Security Standard (PCI) became effective June 30, 2005. The PCI applies to any service provider that stores, processes or transmits cardholder data from the major credit card provider. Currently this is VISA, MasterCard, Discover, and American Express. One of the requirements of a service provider is to complete a self assessment form[link]. Iowa State University requires a self assessment be completed and approved by the Treasurer and the Director, IT Security and Policies before accepting credit card transactions. An updated self assessment is sent to the Treasurer and the Director, IT Security and Policies annually.