RECON (Risk Evaluation of Computers and Open Networks) is a risk assessment methodology developed for use at U-M.
- RECON assessments are part of U-M's ongoing Information Security Risk Management process.
- Information Security (SPG 601.27) requires every unit to periodically conduct RECONs.
- Information Security Risk Management (DS-13) defines which systems must be assessed, the frequency of those assessments, and who must perform the RECON.
When a RECON Is Required
There are two criteria that determine if a system must be assessed, who must do the RECON assessment, and how often it must be done:
- Mission criticality. Any system that meets the criteria for mission critical systems or applications must be assessed.
- Data Classification. All information systems that create, process, store, or transmit sensitive university data classified as Restricted or High as defined by the U-M Data Classification Levels must be assessed. It is recommended that systems handling data classified as Moderate or Low be assessed whenever possible.
All RECON final reports and associated documents are considered IT security information. These data are classified as High.
IA Performs Some RECONs
Information Assurance (IA) or IA-approved unit staff must perform RECONs for systems that create, process, store, or transmit data classified as Restricted or High. Units will be asked to help define the scope of the assessment (which systems are to be assessed) and participate in the RECON process as needed.
Contact IA through the RECON request form to begin the RECON process.
Units Perform Some RECONs
Unit staff members who have received training from IA can perform RECONs for unit systems that create, process, store, or transmit data classified as Moderate or Low. Units can ask IA to perform RECONs for these systems, but because of the number of RECON requests IA receives, and the need to prioritize those requests, units are encouraged to have an IA-trained staff person do a self assessment whenever possible.
To perform a RECON in your unit, follow these steps:
- Contact IA through the RECON request form to begin the self assessment process. IA will schedule training sessions as needed for unit staff doing their first self assessment.
- Reply to the confirmation email from IA, and include the scope of your RECON. The scope of the RECON is an inventory of which system(s) will be assessed. You must submit a scope before participating in the training, because you will begin your RECON during the training session.
- Attend the in-person training, and learn to use the RECON self-assessment portal. You will receive detailed instructions as well as hands-on training. An IA mentor will be assigned to you to help you complete the RECON.
- Perform the RECON with guidance from your IA mentor.
- Receive a risk treatment plan to help your unit take action and presentation materials to help present the RECON findings within your unit.
RECON Resources for Units
Staff performing RECONs for their units may be asked to review materials before training, or find reviewing some RECON-related materials after training helpful. U-M login is required to view RECON materials.