Risk Management Standards

Risk Analysis

The University information security risk analysis process is based on the following steps:

• Systems inventory
• Potential threat identification
• Vulnerability identification
• Existing security control analysis
• Risk likelihood determination
• Systems and operations impact analysis
• Risk level determination

In addition to regular risk analysis, The University ISO, or appropriate designee, must conduct a risk analysis when environmental or operational changes occur which significantly impact the confidentiality, integrity or availability of sensitive information systems. Such changes include but are not limited to:

• Significant security incidents to sensitive information systems.
• Significant new threats or risks to sensitive information systems.
• Significant changes to the organizational or technical infrastructure which affect sensitive information systems.
• Significant changes to information security requirements or responsibilities which affect sensitive information systems.

Risk Management

Once the risk analysis is completed, the University risk management process is performed based on the following steps:

• Systems inventory
• Risk prioritization
• Method selection.
• Cost-benefit analysis
• Security method selection
• Assignment of responsibility
• Security method implementation
• Security method evaluation

Strategies for managing risk should be commensurate with the risks to such systems. One or more of the following methods may be used to manage risk:

• Risk acceptance
• Risk avoidance
• Risk limitation
• Risk transference