RECON (Risk Evaluation of Computers and Open Networks) is a risk assessment methodology developed for use at U-M.
Risk assessments, such as RECON, are part of U-M's ongoing Information Security Risk Management process. These assessments allow risks to be better prioritized, and facilitate a cost-effective approach to mitigating identified weaknesses and vulnerabilities.
Because the elimination of all risk is not feasible, unit leadership should balance the cost and effectiveness of proposed risk-reducing activities noted in a RECON against the potential severity of the risk.
When a RECON is Required
The Information Security Policy (SPG 601.27) requires every unit to periodically conduct risk assessments of sensitive and mission critical information assets. All RECON final reports and associated documents are considered IT security information and are classified as High level data.
Sensitive and mission critical information assets are those which either:
- Contain sensitive institutional data OR
- Contain data that meet the criteria for mission critical data outlined in Responsibility for Maintaining Information Technology Backup and Recovery Procedures (SPG 601.07-1).
When a mission critical system or application fails or is interrupted for even a brief period of time, there is a significant impact on business operations.
Mission critical systems, activities or functions are determined as those that, whether by failure or unavailability, even for a unit-defined short timeframe, will affect essential business or unit operations in an unacceptable way. Mission critical systems, activities, and functions are determined by each unit.
If a system, activity, or function's failure can be tolerated longer than the unit-defined time period, it is not mission critical.
Completing a RECON Assessment
Units may request Information Assurance (IA) to perform the RECON assessment or perform it themselves.
For further information or assistance related to unit risk assessments, contact email@example.com.