This Standard supports and supplements the University of Central Oklahoma’s (“UCO” or “University”) Information Security Policy. The standard is mandatory and enforced in the same manner as policy. It will be periodically reviewed and updated as necessary to meet changes in legal and regulatory requirements.
Management of institutional risk is a critical component of UCO’s information security program. Given the size, scope, and complexity of University information systems and data assets, it is neither feasible nor desirable to equally protect all systems and assets.
To support making the best-informed decisions possible, UCO has adopted the NIST Risk Management Framework to guide its risk-based approach to assessing how to prioritize resources allocated to mitigate identified risks to systems and data.
Risk assessments can identify security gaps within a unit or information system, and they play an important function in determining the overall information security posture of the unit or system. In the aggregate, risk assessments conducted across the University can help in determining the University’s overarching information security profile, as well as identifying common risks and deficiencies. Finally, risk assessments and associated risk mitigation are required by regulations with which the University must comply, including, but not limited to, FERPA, GDPR, HIPAA, GLBA, FISMA, and PCI.