Risk Assessment Policy

Version 1.0.2

For Students, Faculty, Staff, Guests, Alumni


The purpose of this policy is to facilitate compliance with applicable federal and state laws and regulations, protect the confidentiality and integrity of the University’s IT Resources, and enable informed decisions regarding risk tolerance and acceptance.


This IT policy, and all policies referenced herein, shall apply to all members of the University community including faculty, students, administrative officials, staff, alumni, authorized guests, delegates, and independent contractors (the “User(s)” or “you”) who use, access, or otherwise employ, locally or remotely, the University’s IT Resources, whether individually controlled, shared, stand-alone, or networked.

Policy Statement

  • The Senior Director, IT Security Operations and Assurance (or designees) is authorized to perform periodic information security risk assessments to determine areas of vulnerability and to initiate appropriate remediation.
  • The University uses formal Information Security Risk Management (ISRM) programs that identify risks and implement plans to address and manage them.
  • The Senior Director, IT Security Operations and Assurance is responsible for managing the Information Security Risk Management program and coordinating the development and maintenance of program policies, procedures, standards, and reports.
  • The ISRM program is based on risk assessment and developed in consideration of University priorities, staffing, and budget.
  • Risk assessments must identify, quantify, and prioritize risk acceptance and objectives relevant to the University. The results are to guide and determine the appropriate management action and priorities for managing information security risks and for implementing controls to protect against these risks.
  • The risk assessment must include the systematic approach of estimating the magnitude of risks (risk analysis) and the process of comparing the calculated risks against risk criteria to determine the significance of the risks (risk evaluation).
  • Risk assessments are performed periodically to address changes in security requirements and the risk situation (e.g., threats, vulnerabilities, impacts, risk evaluation, and data classification).
  • Risk assessments are to be undertaken systematically, capable of producing comparable and reproducible results. The information security risk assessment should have a clearly defined scope to be effective and should include relationships with risk assessments in other areas, if appropriate.


Control is a defined process or procedure to reduce risk.

Inherent Risk is the level of risk before Risk Treatments (controls) are applied.

IT Resources include computing, networking, communications, application, and telecommunications systems, infrastructure, hardware, software, data, databases, personnel, procedures, physical facilities, cloud-based vendors, Software as a Service (SaaS) vendors, and any related materials and services.

Information Security Risk Management (ISRM) is a program that consistently identifies and tracks information security risks, implements plans for remediation, and guides strategic resource planning.

Residual Risk is a level of risk that remains after Risk Treatments (controls) are applied to a given Risk.

Risk is the possibility of suffering harm or loss or the potential for realizing unwanted negative consequences of an event.

Risk Management is the ongoing management process of assessing risks and implementing plans to address them.

Risk Assessment is the process of taking identified risks and analyzing their potential severity of impact and likelihood of occurrence.

Risk Treatment is the process of managing assessed or identified risks. Risk treatment options are risk avoidance (withdraw from), sharing (transfer), modification (reduce or mitigate) and retention (acceptance).

Related Policies and Procedures

Implementation Information

Review Frequency: Triennial
Responsible Person: Senior Director, IT Security Operations and Assurance
Approved By: CISO
Approval Date: March 1, 2017

Revision History

1.0 03/01/2017 Initial document
1.0.1 03/02/2018 Grammatical changes only.  No adjustments to the policy.
1.0.2 06/25/2018 Updated disclaimer, scope, and definitions.
  05/22/2020 Periodic review

Policy Disclaimer Statement

Deviations from policies, procedures, or guidelines published and approved by Information Security and Assurance (ISA) may only be done cooperatively between ISA and the requesting entity with sufficient time to allow for appropriate risk analysis, documentation, and possible presentation to authorized University representatives. Failure to adhere to ISA written policies may be met with University sanctions.

 Need Help?

Walk-In Centers

McShane Center 229 | RH
Leon Lowenstein SL18 | LC

View Our Walk-In Hours