Office of the CIO

Technology Services

Enterprise IT Risk Mitigation Project

Project Overview

This critical university project is focused on enhancing the security and management of our most important IT applications and services. The goal is to strengthen the university’s overall IT risk posture and ensure sustainable operational compliance.

Key Project Information

  • Start Date: September 19, 2025 
  • Target Completion: June 30, 2026
  • Project Manager: Hannah Steighner
  • Project Sponsor: Alex Henson
  • Core Project Team: Dan Han, Barry Lanneau, Katie Shedden

What is This Project About?

The primary objective is to mitigate enterprise risk caused by the decentralized management of critical IT applications and services, especially those that process, transmit, or store sensitive data.

Key Project Initiatives

  • Application Inventory and Risk Assessment: We are creating a comprehensive list of all business and mission-critical applications and servers and performing formal risk assessments. We have also engaged external, third-party security expertise to assist in an independent assessment.

  • Vulnerability Remediation: We will review, prioritize, and assign the existing vulnerability backlog using a risk-based approach. We are also implementing a new vulnerability assessment program.

  • Portfolio Cleanup: We are undertaking an application rationalization exercise to review redundant systems and determine the optimal long-term management model for major applications.

  • Server Hosting Model Adjustments: A detailed plan will be developed to establish a modern, standardized, and well-resourced hosting model at the University Computer Center (UCC) that eliminates high-risk, unmanaged infrastructure and promotes consistent configuration management and security practices.

  • Governance and Standardization: We are designing and implementing new frameworks and standards for managing enterprise and small-scale applications to ensure consistency in security, data governance, and operational standards across the university.

Why is This Project Necessary?

This project is a direct response to a 2025 IT Vulnerability Management Audit conducted by Audit and Compliance Services. The audit identified significant opportunities to improve our IT risk posture, noting issues like inconsistent application management, inconsistent vulnerability treatment practices, and insufficient enforcement of governance processes.

The initiatives are specifically designed to:

  • Remediate audit findings and reinforce accountability across distributed IT operations.
  • Ensure sustainable alignment with the university’s enterprise security and risk management standards.

How Can I Learn More?

If you are a stakeholder with questions, you may contact the core project team via the project's generic email account, itrisk@vcu.edu.