Risk Assessment Policy

Purpose

The purpose of this policy is to facilitate compliance with applicable federal and state laws and regulations, protect the confidentiality and integrity of the University’s IT Resources, and enable informed decisions regarding Risk Management.

Scope

This IT policy, and all policies referenced herein, shall apply to all members of the University community, including faculty, students, administrative officials, staff, alumni, authorized guests, delegates, and independent contractors (the “User(s)” or “you”) who use, access, or otherwise employ, locally or remotely, the University’s IT Resources, whether individually controlled, shared, stand-alone, or networked.

Policy Statement

• The Senior Director of IT Security and Assurance (or designees) is authorized to perform periodic information security Risk Assessments to determine vulnerabilities and initiate appropriate remediation.
• The University uses formal Information Security Risk Management (ISRM) programs that identify risks and implement plans to address and manage them.
• The Senior Director of IT Security and Assurance manages the ISRM program and coordinates the development and maintenance of program policies, procedures, standards, and reports.
• The ISRM program is based on risk assessment and developed in consideration of University priorities, staffing, and budget.
• Risk Assessments must identify, quantify, and prioritize risk acceptance and objectives relevant to the University. The results are to guide and determine the appropriate management action and priorities for managing information security risks and for implementing Controls to protect against these risks. 
• The Risk Assessment must include the systematic approach of estimating the probability and impact of the risk and the process of analyzing the Inherent Risk score to evaluate the significance of the risk. 
• Risk Assessments are performed periodically to address changes in security requirements and the risk situation (e.g., threats, vulnerabilities, impacts).  
• Risk Assessments are to be undertaken systematically, capable of producing comparable and reproducible results.

Definitions

Control is a defined process or procedure to reduce risk.

Inherent Risk is the level of risk before controls are applied. 

IT Resources include computing, networking, communications, application, and telecommunications systems, infrastructure, hardware, software, data, databases, personnel, procedures, physical facilities, cloud-based vendors, Software as a Service (SaaS) vendors, and any related materials and services. 

Information Security Risk Management (ISRM) is a program that consistently identifies and tracks information security risks, implements plans for remediation, and guides strategic resource planning.  

Risk Assessment is the process of taking identified risks and analyzing their potential severity of impact and likelihood of occurrence.

Risk Management is the ongoing management process of assessing risks and implementing plans to address them. 

Related Policies and Procedures

• Data Classification Policy
• Patch Management Policy
• Vulnerability Management Policy

Implementation Information

Revision History

Policy Disclaimer Statement

Deviations from policies, procedures, or guidelines published and approved by Information Security and Assurance (ISA) may only be done cooperatively between ISA and the requesting entity with sufficient time to allow for appropriate risk analysis, documentation, and possible presentation to authorized University representatives. Failure to adhere to ISA written policies may be met with University sanctions.