Information Risk Management Standard

This Standard supports and supplements the University of Central Oklahoma’s (“UCO” or “University”) Information Security Policy. The standard is mandatory and enforced in the same manner as policy. It will be periodically reviewed and updated as necessary to meet changes in legal and regulatory requirements.

Management of institutional risk is a critical component of UCO’s information security program. Given the size, scope, and complexity of University information systems and data assets, it is neither feasible nor desirable to equally protect all systems and assets.

To support making the best-informed decisions possible, UCO has adopted the NIST Risk Management Framework to guide its risk-based approach to assessing how to prioritize resources allocated to mitigate identified risks to systems and data.

Risk assessments can identify security gaps within a unit or information system, and they play an important function in determining the overall information security posture of the unit or system. In the aggregate, risk assessments conducted across the University can help in determining the University’s overarching information security profile, as well as identifying common risks and deficiencies. Finally, risk assessments and associated risk mitigation are required by regulations with which the University must comply, including, but not limited to, FERPA, GDPR, HIPAA, GLBA, FISMA, and PCI.

‌Information Risk Management- Standard

‌Purpose

Finally, risk assessments and associated risk mitigation are required by regulations with which the University must comply, including, but not limited to, FERPA, GDPR, HIPAA, GLBA, FISMA, and PCI.

‌Scope

This Standard applies to:

This standard applies to all divisions, colleges and units established by the University that exercise any information technology (IT) function relating to the mission of the University except for those specifically exempted in writing by the senior leadership (as defined in the information security policy) of the University.
This standard applies to University computer and telecommunications systems; faculty, staff, and students; academic and administrative units; affiliated entities, agents, contractors, and volunteers of the University, members of the community who use and/or administer such systems, or any information asset (as defined in this policy) that connects directly or indirectly to any UCO owned, leased, contracted, or operated computer or telecommunication system.

‌Standard Details

ROLES AND RESPONSIBILITIES:

Information System Owners: (Unit Leadership/Business Owner/Service Owner)

Information system owners are responsible for ensuring that those information systems and applications under their control that are deemed mission critical or that process, maintain, transmit, or store sensitive institutional data are assessed for risk based on data classification level, and that identified risks are mitigated, transferred, or accepted, as stipulated below.

Security Liaison (SL):

Every university unit has an assigned Security Liaison who, as part of their overall responsibilities, is responsible for:

Assisting the Office of Information Technology (OIT) in the maintenance and inventory of systems hosting data classified as Restricted or High, mission critical information assets within the unit, or any unit unique regulatory requirements.
Clarifying risk assessment scopes, in conjunction with OIT, where applicable, with relevant documentation, diagrams, knowledge base sites, etc.
Assist with providing access to systems for security reviews and control validation.
Ensuring risk treatment plans are implemented for unit unique services or applications.
Facilitating post -assessment decisions and coordination of risk mitigation efforts.

Director of Information Security:

Approves the baseline security controls established for all units and information systems and determines minimum acceptable risk levels for all University environments. The Director of Information Security handles appeals for exception to the provisions of this Standard.

Information Security Department (ISD):

ISD is responsible for the development and maintenance of a standards-based risk assessment methodology; facilitating risk assessments for appropriate units and information systems; and providing risk mitigation support and other follow-up of completed risk assessments. ISD also educates unit and information system staff on how to carry out a risk assessment where appropriate.

RISK LIFECYCLE:

Information Security risk management is an ongoing lifecycle that includes the following steps:

Step 1: Categorize

Categorize the information system and the information and data processed, stored, and transmitted by that system based on sensitivity and risk of harm to individuals and the University if the information is subject to a breach or unauthorized disclosure (See Data Classification Policy and related guides and summaries).
All information systems that process, store, or transmit high or restricted level data as defined in the Information Assurance and IT Security Policy must be assessed for risk to the University that results from threats to the integrity, availability and confidentiality of the data.

Step 2: Select

Select an initial set of baseline security controls based on the information classification levels, specified in the Data Classification Policy. ISD is responsible for determining and incorporating appropriate security controls into UCO’s information risk assessment methodology based on;

Information Assurance and IT Security Policy and supporting standards.
Legal and regulatory requirements.
NIST SP 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations and NIST SP 800-171: Protecting Controlled Unclassified Information in Nonfederal Information Systems, where deemed appropriate.

Step 3: Assess

Assess the extent to which security controls are correctly implemented, operating as intended, and producing the desired outcome.

The core elements of a risk assessment include:

Scope of assessment.
Current state of security control implementation.
Documentation of identified threats, vulnerabilities, and risks associated with the system.
Mitigation recommendations to increase the security posture of the system.

Risk assessments for systems or applications that store, process, or transmit high or restricted level data are required to be conducted according to the following schedule, either by ISD staff or other approved by ISD qualified security professionals:

Prior to go live or implementation of a new system.
Within six months after significant changes have been made to a system, including major policy changes and introduction of new technologies with substantial impact on information security.
Every year at minimum.
Soon after a serious IT security incident is reported.
When required by law or contract.
Due to staffing constraints, ISD may prioritize assessment schedules based upon information classification, institutional priorities, compliance requirements, or contractual obligations.

The chart below summarizes requirements for risk assessments by data classification level:

Information Classification Level	Required or Recommended	Risk Assessment Frequency	Assessment Performed by
RESTRICTED	Required	Annual	OIT - ISD
CONFIDENTIAL	Required	Annual	OIT - ISD
UNRESTRICTED (INTERNAL)	Recommended	Every 2 Years	OIT - ISD
PUBLIC	Recommended	Every 2 Years	OIT - ISD

Assessment Outcomes:

The results of unit conducted risk assessments, and any associated remediation plans, are required to be provided to ISD.
Once a risk has been identified, units will work with ISD to develop and implement risk mitigation actions and strategies to reduce the risk to acceptable levels. The process of actively managing identified risks is facilitated by ISD’s Risk Assessment tool.
Risk assessments are considered IT security data classified as high and must be maintained as such and made available only to those with job related responsibilities, such as Internal Audit.

Step 4: Implement

Implement the appropriate risk reducing controls as identified by the risk assessment process. Upon completion of the risk assessment, a Risk Treatment Plan must be prepared within thirty days. Additional tasks include ownership identification, estimated time to carry out identified mitigation recommendations, metrics to evaluate progress and success, and financial costs and estimated starting and completion dates.

Risks identified by a risk assessment and included in a Risk Treatment Plan must be mitigated or accepted on a priority basis:

Prior to the system being placed into operation.
Within the stipulated time frame of the Risk Treatment Plan for ongoing systems and applications.

Identified risks must be addressed by one of the following.

Implementing identified control (information security risk mitigation).
Sharing or shifting the risk to another party (information security risk transference).
Assuming or accepting the identified risk (information security risk acceptance).

Risk Treatment Plans must be completed within eighteen months, unless otherwise specified, and with highest priority items handled per a time-frame set by OIS, not to exceed one year.

Step 5: Authorize

Authorize that an identified but unmitigated risk is acceptable. Risks are quantitatively and qualitatively expressed in the as Severe, High, Medium, Low and Very Low.

UCO units and individuals must not unilaterally accept information security and compliance risk that results in the greater University’s vulnerability to cyber risks.

Specifically:

Residual high and severe risks identified in risk assessments, but not able to be mitigated in an established timeframe, may only be accepted on behalf of the University by the Chief Information Officer (CIO) or a delegated authority.
Changes to approved risk treatment plans or requests for exceptions to this Standard must be submitted in accordance with the Request for Exceptions to the Information Security Policy Standard (see below).
Approval authority may be delegated if documented in writing, but ultimate responsibility for risk acceptance on behalf of the university cannot be delegated.

Step 6: Monitor and Follow-up

OIT and ISD will follow up with units on an ongoing basis to ensure and track progress of open Risk Treatment Plan items.

2. EXCEPTIONS:

Exceptions to reqired minimum standards for risk assessment and risk mitigation are expected to be generally in line with the provisions Exceptions to Information Security Policy Request Standard.

‌References

NIST SP 800-30, Revision 1: Guide for Conducting Risk Assessments

NIST SP 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations

‌Related NIST Controls

PM-04 Plan of Action and Milestones

RA-01 Risk Assessment Policy and Procedures RA-02 Security Categorization

RA-03 Risk Assessment

RA-04 Risk Assessment Update NIST SP 800-53 Revision 4:

AC-07 (2) Unsuccessful Logon Attempts

MA-02 (d) Controlled Maintenance MA-03 (3)(b) Maintenance Tools

MA-04 (3)(b) Non-Local Maintenance MA-05 (1)(a)(2), (1)(b) Media Transport MP-04 (b) Media Storage

MP-06 Media Sanitization MP-7 (2) Media Use

MP-8 (4) Media Downgrading

SC-4 (2) Information in Shared Resources

‌Standard Violations

Failure to comply with this standard or other University policies will result in disciplinary action, up to and including termination of employment and/or enrollment. All persons to whom these policies, standards, and guidelines are applicable, as stated above, are responsible for adhering to these rules.
All supervisory personnel are responsible for ensuring that these policies, standards, and guidelines are adhered to within their respective areas of responsibility. Any user may report University policy or law violations to their immediate supervisor, representative faculty or school personnel or using UCOMMENT.

‌Change Log

Version	Date	New	Original

‌Approvals

Approved By

Date

Description

Jeff Miller

February 3,

2023

Initial Policy Release

0 reviews

Print Article

Updating...