Skip to main content

Risk Assessment Policy

Version 1.0.2

Purpose

The purpose of this policy is to facilitate compliance with applicable state and federal laws and regulations, protect the confidentiality and integrity of the University’s IT Resources, and enable informed decisions regarding risk tolerance and acceptance.

Scope

This IT policy, and all policies referenced herein, shall apply to all members of the University community including faculty, students, administrative officials, staff, alumni, authorized guests, delegates, and independent contractors (the “User(s)” or “you”) who use, access, or otherwise employ, locally or remotely, the University’s IT Resources, whether individually controlled, shared, stand-alone, or networked.

Policy Statement

  • The Director, IT Risk, and Data Integrity (or designees) is authorized to perform periodic information security risk assessments to determine areas of vulnerability and to initiate appropriate remediation.
  • The University uses formal Information Security Risk Management (ISRM) programs (e.g., Modulo, Qualys) that identify risks and implement plans to address and manage them.
  • The Director, IT Risk, and Data Integrity is responsible for managing the Information Security Risk Management program and coordinating the development and maintenance of program policies, procedures, standards, and reports.
  • The ISRM program is based on risk assessment and developed in consideration of University priorities, staffing, and budget.
  • Risk assessments must identify, quantify, and prioritize risk acceptance and objectives relevant to the University. The results are to guide and determine the appropriate management action and priorities for managing information security risks and for implementing controls to protect against these risks.
  • The risk assessment must include the systematic approach of estimating the magnitude of risks (risk analysis) and the process of comparing the calculated risks against risk criteria to determine the significance of the risks (risk evaluation). 
  • Risk assessments are performed periodically to address changes in security requirements and the risk situation (e.g., threats, vulnerabilities, impacts, risk evaluation, and data classification). 
  • Risk assessments are to be undertaken systematically, capable of producing comparable and reproducible results. The information security risk assessment should have a clearly defined scope to be effective and should include relationships with risk assessments in other areas, if appropriate.

Definitions

Control is a defined process or procedure to reduce risk.

Inherent Risk is the level of risk before Risk Treatments (controls) are applied.

IT Resources include computing, networking, communications, application, and telecommunications systems, infrastructure, hardware, software, data, databases, personnel, procedures, physical facilities, cloud-based vendors, Software as a Service (SaaS) vendors, and any related materials and services.

Information Security Risk Management (ISRM) is a program consistently identifies and tracks information security risks, implements plans for remediation, and guides strategic resource planning. 

Residual Risk is a level of risk that remains after Risk Treatments (controls) are applied to a given Risk.

Risk is the possibility of suffering harm or loss or the potential for realizing unwanted negative consequences of an event.

Risk Management is the ongoing management process of assessing risks and implementing plans to address them.

Risk Assessment is the process of taking identified risks and analyzing their potential severity of impact and likelihood of occurrence.

Risk Treatment is the process of managing assessed or identified risks. Risk treatment options are risk avoidance (withdraw from), sharing (transfer), modification (reduce or mitigate) and retention (acceptance).

Related Policies and Procedures

Implementation Information

Review Frequency: Annual
Responsible Person: Director, IT Risk and Data Integrity
Approved By: CISO
Approval Date: March 1, 2017

Revision History

Version: Date: Description:
1.0 03/01/2017 Initial document
1.0.1 03/02/2018 Grammatical changes only.  No adjustments to the policy.
1.0.2 06/25/2018 Updated disclaimer, scope, and definitions.

Policy Disclaimer Statement

Deviations from policies, procedures, or guidelines published and approved by the University Information Security Office (UISO) may only be done cooperatively between the UISO and the requesting entity with sufficient time to allow for appropriate risk analysis, documentation, and possible presentation to authorized University representatives. Willful failure to adhere to UISO written policies may be met with University sanctions.