...
The university CISO shall periodically assess the risk to the University from information resources and notify information resource owners and other involved parties about these risks so they may be addressed. The CISO will communicate risk to senior leadership semi-annually.
The university CISO shall establish and maintain a vulnerability management program designed to identify and remediate system security risks. [Vulnerability Management Standard]
The university CISO shall establish and maintain a vendor/3rd party risk management program designed to identify and remediate risks to University data and systems.
Data at the university is categorized into categories (currently 4) from high to low based on the risk to the University posed by this data.
The CISO shall review and update the Risk Assessment controls as necessary.
...