Risk Center
Institutional Risk Register
Five primary institutional risks assessed on Likelihood × Impact (1-5). Zero tolerance for unmitigated FERPA and DHS/SEVIS exposure.
Risk appetite and tolerance
St. Francis College adopts a low appetite for risks involving unauthorized disclosure of FERPA-regulated data, SEVIS immigration records, or prolonged disruption of Banner ERP. The institution accepts moderate residual risk in areas requiring phased investment, provided interim compensating controls exist and executive leadership explicitly approves deferral.
Will accept
- · Phased MFA rollout over six months if communications and helpdesk support are funded
- · Limited vendor risk program scope in Year 1 focused on Tier-1 platforms handling student data
- · Manual audit log review until automated SIEM correlation is affordable in Year 2
Will not accept
- · Continued operation without a tested incident response plan beyond Month 6
- · New production systems processing FERPA data without Entra ID SSO and role-based access
- · Tier-1 vendor contracts without data handling and breach notification clauses
- · Risk acceptance for unmitigated Critical-rated risks without Board notification
Critical risks (score 16+) require mitigation within 90 days or formal risk acceptance by the CFO with Board notification. High risks require mitigation plans within six months. Medium risks are accepted with documented compensating controls reviewed quarterly.
R-1
Phishing / BEC
Faculty and DSO staff targeted via high-volume phishing with strong pretext opportunities from external student and vendor communications.
Likelihood
4
Impact
4
Score
16
Owner: CISO / IT Director
Program: Security Awareness & Phishing Resilience
Residual:
R-2
FERPA Data Breach
Unauthorized access to Banner ERP and Gecko Engage exposing 2,500+ student education records, triggering federal enforcement and NY SHIELD notification.
Likelihood
3
Impact
4
Score
12
Owner: CISO / Registrar
Program: Zero Trust Access & Identity Governance
Residual:
R-3
Ransomware (ERP/SIS)
Ransomware disrupting Banner ERP operations, halting registration, financial aid disbursements, and academic reporting with extended recovery due to lean IT staffing.
Likelihood
3
Impact
4
Score
12
Owner: IT Director
Program: Zero Trust Access & Identity Governance
Residual:
R-4
Third-Party Vendor Risk
Compromise of 15+ SaaS platforms (Gecko Engage, Zoom, Microsoft partners) exposing institutional data without direct SFC action.
Likelihood
3
Impact
3
Score
9
Owner: Legal / Compliance + CISO
Program: Third-Party Risk Management
Residual:
R-5
Insider Threat
Privilege abuse by authorized users including graduate assistants with elevated system access; no formal PAM program currently exists.
Likelihood
2
Impact
4
Score
8
Owner: IT Director / CISO
Program: Zero Trust Access & Identity Governance
Residual:
R-1. Phishing / BEC
Faculty and DSO staff targeted via high-volume phishing with strong pretext opportunities from external student and vendor communications.
Owner
CISO / IT Director
Mitigation Status
Current Controls
- ·Microsoft 365 email filtering
- ·Partial Entra ID MFA
Control Gaps
- ·No structured awareness program
- ·No phishing simulation baseline
Planned Mitigations
- ·KnowBe4/Proofpoint deployment
- ·Quarterly phishing simulations
- ·Role-based training for DSO and finance
Linked program: Security Awareness & Phishing Resilience
Residual risk: High
Risk heat map
Impact
Likelihood
Risk score distribution