IT Security Risk Analysis (RECON)

RECON (Risk Evaluation of Computers and Open Networks) is a risk assessment methodology developed for use at U-M.

Risk assessments, such as RECON, are part of U-M's ongoing Information Security Risk Management process. These assessments allow risks to be better prioritized, and facilitate a cost-effective approach to mitigating identified weaknesses and vulnerabilities.

Because the elimination of all risk is not feasible, unit leadership should balance the cost and effectiveness of proposed risk-reducing activities noted in a RECON against the potential severity of the risk.

When a RECON is Required

Information Security (SPG 601.27) requires every unit to periodically conduct risk assessments of sensitive and mission critical information assets. All RECON final reports and associated documents are considered IT security information and are classified as High level data.

Sensitive and mission critical information assets are those which either:

  • Contain sensitive institutional data OR
  • Meet the criteria for mission critical systems or applications.

Mission critical systems, activities or functions are determined as those that, whether by failure or unavailability, even for a unit-defined short timeframe, will affect essential business or unit operations in an unacceptable way. Mission critical systems, activities, and functions are determined by each unit.

If a system, activity, or function's failure can be tolerated longer than the unit-defined time period, it is not mission critical.

Completing a RECON Assessment

Units may request Information Assurance (IA) to perform the RECON assessment or perform it themselves.

Information About Completing a RECON

Further Assistance

For further information or assistance related to unit risk assessments, contact