Risk assessments of a unit, program, application, or service are based on statutory or regulatory requirements (including FISMA, HIPAA or PCI-DSS) and/or industry best practices (including ISO 27000 series controls.
- Private data is identified, handled, and disposed of appropriately
- Risk treatment plans that are appropriately scaled to the risk level of the data involved
- Security standards are applied appropriately and consistently.
University faculty or staff can request a risk assessment for a unit, program, application, technology platform or service by sending an email to University Information Security. The request is reviewed with the Risk Acceptor (usually a Dean, Vice President or other senior leader) to agree on the priority of the assessment. University Information Security reviews and replies to requests within two weeks of receipt.
Risk assessments involve in-depth questionnaires which address:
- potential security threats and gaps
- the strength of security controls
- appropriate risk treatment plans
- formalizing security responsibilities and oversight.
The process typically involves a series of collaborative meetings between the unit's Subject Matter Experts and University Information Security Risk analysts working through the phases illustrated below:
- Context Establishment
- Risk Assessment
- Risk Treatment and Acceptance
- Monitoring and Review.
Risk Treatment Options
Options for treating risks include:
- Mitigation: implementing controls to reduce the likelihood and/or impact of risk to an acceptable level.
- Transfer: outsourcing or otherwise transferring all or a portion of the risk, or purchase insurance.
- Avoidance: ceasing a high risk function or activity.
- Acceptance: making an informed decision to tolerate a certain level of risk by weighing the likelihood and impact of risk against the resources required to mitigate it.
The Risk Assessment document includes risks identified and risk treatment plan(s) as a foundation for future risk management by the unit. Supplemental documents may include data diagrams or relevant guidline material. The Risk Assessment document is classified as University Private-Restricted data.