IRM-003: Information Technology Security Risk Management ProgramDate: 11/18/2004 Status: Final
In today’s advanced technological world, many security threats exist to IT assets, upon which the University has become dependent to carry on its day to day functions. Given the serious damage that could result if these assets were lost or in other ways compromised, effectively managing security risks is a critical task for the University and its departments.
This policy establishes expectations for all departments to participate in the University’s Information Technology (IT) Security Risk Management Program. The program provides insight into existing risks within a given IT environment and strategies for reducing or eliminating those risks.
IT Continuity Planning:
The development of a plan for restoration of IT resources identified in the impact analysis and for interim manual processes for continuing critical departmental functions during the restoration process.
IT Impact Analysis:
The identification of information, computing hardware and software, and associated personnel that require protection against unavailability, unauthorized access, modification, disclosure or other security breaches.
IT Risk Assessment:
The determination and evaluation of threats to IT resources and the development of a plan to address any unacceptable risks.
The total process to identify, control and manage the impact of potential harmful events, commensurate with the value of the protected assets. Risk management includes impact analysis, risk assessment, and continuity planning.
The management of each University department is required to complete the process outlined in the University's Information Technology Security Risk Management Program at least once every three years, when there are significant changes to departmental IT assets, or when there are significant changes to the risk environment. The department head will sign off on the deliverables from this process and file these deliverables in the University's central repository for these documents.
IT Security Risk Management (ITS-RM) Program - Information, templates and tools.
The University has an IT Security Risk Management Program, which includes information, templates, and tools to complete an impact analysis for IT assets managed by a department, a risk assessment for those assets, and continuity planning for events that could damage the assets or otherwise make them unavailable. Completing such a risk management process provides insight into existing risks within a given IT environment and strategies for reducing or eliminating those risks.