Information Technology Services IT Security Office
Why DRAC?

The DRAC program was initiated in response to the federal/state requirement to conduct IT risk assessments throughout the university, down to the department and office levels. The program was explained to the President’s Council by the CIO/Vice President for IT in the fall of 2009.

What is the IT risk assessment?

The IT risk assessment will be conducted by completing an in-depth questionnaire, followed by the development of a related security plan. The risk assessment questionnaire consists of a Business Impact Analysis and a series of security questions based upon industry best practices and applicable federal regulations. The security plan will be developed through a documented response to the risks identified in a completed Risk Assessment Questionnaire (For reference purposes ONLY).

How does DRAC work?

Each DRAC will be placed into a cohort with common risk levels and similar business functions. Individual cohorts will move forward on a planned schedule with set milestones for the completion of the questionnaire and security plan. With guidance from the IT Security Office, the cohorts will complete a full risk assessment and develop a corresponding security plan by dividing the process into manageable portions over a period of three years. The IT Security Office will provide the framework of resources and procedures for each DRAC so that they can complete the risk assessment accurately and develop a practical security plan customized for their department.

Who is the ideal DRAC?

A successful Departmental Risk Assessment Coordinator (DRAC) will be someone who knows the business processes of his or her unit, department, or office and has been authorized by the department head to act on their behalf. The IT Security Office can work with individual departments to help identify appropriate candidates.

What are the specific duties of a DRAC?

The DRAC will complete a state-directed risk assessment evaluation of their department or office over a 3-year period. The assessment will be divided into manageable sections to be completed quarterly. The DRAC will be responsible for updating the assessment when there has been a significant change to the department’s IT infrastructure, such as a new application, or after the installation of a new server. The DRAC will also assist in the identification and analysis of risks pertaining to data security within the department or office. Additionally, the DRAC will act as a point of contact for the IT Security Office for various security related issues.

Disclaimer: As the authority for IT Security, the IT Security Office is responsible for IT Security policy and procedures. As such, DRACs will defer to the IT Security Office for all policy, procedures, and guidance.