Information security risk assessment standard
Purpose
This standard establishes the process for assessing risks associated with university data and information systems (“Ohio Systems”) and documenting and communicating the associated risks to university leadership. The objective of the risk assessment process is to assist university leadership in making informed decisions regarding the treatment or acceptance of those risks. The risk assessments will focus on the privacy and security of data based on the level of data classification as outlined in the policy Data Classification (93.001).
Standard
University policy, Information Security Risk Management (91.006),establishes the university’s Information Security Risk Management Program (“ISRMP”). As a part of the ISRMP the Information Security Office (“ISO”) has developed a formal risk assessment framework that is based on the National Institute of Standards and Technology (NIST) 800 Series Publications. The objective of this framework is to provide a consistent approach to identifying, reporting, mitigating, and managing risks associated with OHIO Systems.
Risk assessments will occur in the following instances:
- Prior to the acquisition of information systems as outlined in the information security standard Third Party Vendor Management.
- When an existing OHIO System is subject to a change in risk posture due to a significant change in technology or use. Examples of a significant change would be major software upgrades, changes in platforms or vendors, changes in the classification of data, changes in the volume of users, or changes in the volume of records stored, processed or transmitted by the system.
- All OHIO systems will be subject to periodic review.
OHIO Systems will be assessed through the ISRMP. The fundamental purpose of the risk assessment is the identification, analysis, and reporting of a unit’s current processes and internal controls compared to the processes and internal controls needed to manage information risks associated with OHIO Systems.
The ISRMP risk assessment process will include the following focus areas:
- Assessment of controls: The unit’s existing security controls, processes, and procedures relating to information security will be assessed in the following thirteen categories: governing policy, responsibility and access management, human resources security, asset management, access control, cryptographic controls, physical safeguards, operational security, communications security, system acquisition development and maintenance, relationships with vendors, incident response, and compliance.
- Vulnerability analysis: Threats and vulnerabilities applicable to OHIO Systems are identified during this process. Threats and vulnerabilities are defined as events, acts, or actors that are not within the realm of the university or unit’s control. Examples of such would be acts of nature such as floods or tornadoes, an attempt by an outside source to hack university networks, etc.
- Risk analysis: The effectiveness of controls is evaluated and an overall risk level score is calculated based on the impact and likelihood of identified threats and vulnerabilities. The overall risk level score is then aggregated with the control effectiveness score to arrive at the balanced score card of risk for the OHIO Systems assessment control areas. The objective of the risk analysis portion of the process is to apply consistent evaluation criteria to identified threats and vulnerabilities.
- Risk treatment: At the conclusion of the assessment and analysis of controls, threats and vulnerabilities, the unit will be presented with suggested control improvements in the form of a memo or report and risk treatment plan template. Unit leadership will then be responsible for completing the risk treatment plan by indicating the unit’s plan to accept, reduce, transfer or discontinue the associated risk. Approval authority may be delegated if documented in writing, but ultimate responsibility for risk acceptance cannot be delegated, per the policy Information Security Risk Management(91.006). The following table defines the risk treatment options:
Risk treatment option |
Description |
---|---|
Accept | Accept the risk as is without the intent to implement any mitigating controls. |
Reduce | Intent to implement controls to mitigate the risk and / or lessen the impact of the risk on the unit. |
Transfer | Intent to transfer the risk in all or in part to a third party or another unit within the university. |
Discontinue | Stop or discontinue the risk-creating activity. |
- Risk monitoring –All university units will be subject to periodic monitoring of risks and controls to ensure a continual risk posture that is in line with the university’s level of risk tolerance.
Risk assessment records will be retained by the Information Security Office according to the university policy Records Management and Archiving (93.002) and applicable laws and regulations.
References
- Policy 91.003 Data Classification
- Policy 91.006 Information Security Risk Management
- Policy 91.005 Information Security
- Policy 93.002 Records Management and Archiving
- NIST 800 Series Publications
- Information Security Standard: Third Party Vendor Management
- 91̽’s Information Security Risk Management Strategy
Exceptions
All exceptions to this standard must be formally documented with the ISO prior to approval by the Information Security Governance Committee (ISGC). Standard exceptions will be reviewed and renewed on a periodic basis by the ISO.
Request an exception:
Complete Exception request form.
Governance
This standard will be reviewed and approved by the university Information Security Governance Committee as deemed appropriate based on fluctuations in the technology landscape, and/or changes to established regulatory requirement mandates.
Reviewers
The reviewers of this standard are the members of the Information Security Governance Committee representing the following University stakeholder groups:
- Information Technology: Ed Carter (Chair)
- Faculty: Hans Kruse
- Faculty: Brian McCarthy
- Finance and Administration: Julie Allison
- Associate Dean: Shawn Ostermann
- Regional Higher Education: Larry Tumblin
- Research and Sponsored Programs: Maureen Valentine
- Enterprise Risk Management and Insurance: Larry Wines
History
Draft versions of this policy were circulated for review and approved on 02/03/2022.