IRM-003: Information Technology Security Risk Management Program

Date: 11/18/2004 Status: Final
Last Revised: 05/15/2014
Policy Type: University
Oversight Executive: Chief Information Officer
Applies To: Academic Division, the Medical Center, the College at Wise and University-Related Foundations.
Table of Contents:

Policy Statement
Procedures

Reason for Policy:

In today’s advanced technological world, many security threats exist to IT assets, upon which the University has become dependent to carry on its day to day functions. Given the serious damage that could result if these assets were lost or in other ways compromised, effectively managing security risks is a critical task for the University and its departments.

This policy establishes expectations for all departments to participate in the University’s Information Technology (IT) Security Risk Management Program. The program provides insight into existing risks within a given IT environment and strategies for reducing or eliminating those risks.

Definition of Terms in Statement:
  • IT Continuity Planning:

    The development of a plan for restoration of IT resources identified in the impact analysis and for interim manual processes for continuing critical departmental functions during the restoration process.

  • IT Impact Analysis:

    The identification of information, computing hardware and software, and associated personnel that require protection against unavailability, unauthorized access, modification, disclosure or other security breaches.

  • IT Risk Assessment:

    The determination and evaluation of threats to IT resources and the development of a plan to address any unacceptable risks.

  • Risk Management:

    The total process to identify, control and manage the impact of potential harmful events, commensurate with the value of the protected assets. Risk management includes impact analysis, risk assessment, and continuity planning.

Policy Statement:

The management of each University department is required to complete the process outlined in the University's Information Technology Security Risk Management Program at least once every three years, when there are significant changes to departmental IT assets, or when there are significant changes to the risk environment. The department head will sign off on the deliverables from this process and file these deliverables in the University's central repository for these documents.

Procedures:

IT Security Risk Management (ITS-RM) Program - Information, templates and tools.

Related Information:

In addition to being a widely accepted effective security practice, IT security risk management is required by state and federal regulations. See:

Gramm-Leach-Bliley Act of 1999, Standards for Safeguarding Customer Information; Final Rule – http://www.business.ftc.gov/documents/bus54-financial-institutions-and-customer-information-complying-safeguards-rule.

Health Insurance Portability and Accountability Act of 1996 Health Insurance Reform: Security Standards; Final Rule – http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/index.html.

Policy Background:

The University has an IT Security Risk Management Program, which includes information, templates, and tools to complete an impact analysis for IT assets managed by a department, a risk assessment for those assets, and continuity planning for events that could damage the assets or otherwise make them unavailable. Completing such a risk management process provides insight into existing risks within a given IT environment and strategies for reducing or eliminating those risks.

Major Category: Information Resource Management
Next Scheduled Review: 05/15/2017
Approved by, Date: Executive Vice President and Chief Operating Officer, 11/18/2004
Revision History: Updated 5/15/14, 9/5/13, 4/11/11. Reviewed 11/18/2007.This is the first version of this policy.