Risk Assessment Standard

Description

An important component of an information security program is to establish a process to identify, evaluate and document the inherent risk to the University resulting from the operation of systems and use of data and information.

Scope

This standard applies to the university Chief Information Security Officer (CISO).

Security Requirements

NIST 800-171 references the following security requirements within the Risk Assessment family:

• Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI. [3.11.1]

• Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. [3.11.2]

• Remediate vulnerabilities in accordance with risk assessments.  [3.11.3]     

Other compliance requirements:

• HIPAA - Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the University.

• GLBA - 16 CFR 314.4 requires the University to designate a qualified individual to oversee and enforce an information security program based upon a risk assessment process that identifies risks to customer information. 

• GDPR - Article 35 of the GDPR covers Data Protection Impact Assessments and states, “Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.”. The DPIA will be conducted under the authority of the University’s designated Data Protection Officer (DPO).

Implementation

1. The university CISO shall periodically assess the risk to the University from information resources and notify information resource owners and other involved parties about these risks so they may be addressed. The CISO will communicate risk to senior leadership semi-annually.

2. The university CISO shall establish and maintain a vulnerability management program designed to identify and remediate system security risks.

3. The university CISO shall establish and maintain a vendor/3rd party risk management program designed to identify and remediate risks to University data and systems.

4. Data at the university is categorized into categories (currently 4) from high to low based on the risk to the University posed by this data.

5. The CISO shall review and update the Risk Assessment controls as necessary.

Related

The Risk Assessment Standard is created under the Information Security Policy.

• NIST 800-171 Rev 2.

• Health Insurance Portability and Accountability Act (HIPAA)

• Gramm-Leach Bliley Act (GLBA)

• CIS Controls v7.1

• Lehigh Data Classification

• Vulnerability Management Standard

Definitions

List any terms used in this standard which need to be defined for the readers understanding

Revision History