University of Minnesota  Administrative Policy

Information Security Risk Management

Policy Statement

To protect the confidentiality, integrity, and availability of University of Minnesota data in compliance with applicable state and federal laws and regulations, the University of Minnesota has a formal Information Security Risk Management Program. This program includes two procedures that support overall risk management: the process for conducting risk assessments, and the process for managing exceptions to the Information Security Policy. 

The University Chief Information Security Officer (CISO) is responsible for managing the Information Security Risk Management Program and coordinating the development and maintenance of program policies, procedures, and standards. 

Risk Assessments 

The University CISO develops an annual information security risk assessment plan in coordination with collegiate and administrative units across the system (see responsibilities below). Collegiate and administrative units have a responsibility and obligation to ensure risk assessments are performed on their technology, processes, and controls based on risk criticality. 

Collegiate and administrative units must: 

  • Identify all collections and uses of private data to University Information Security upon request. 
  • Collaborate with the University CISO to complete information security risk assessments. 
  • Develop and implement a risk treatment plan. 
  • Report updates to the risk treatment plan to the University CISO or designate. 

Units must share with University Information Security results of applicable risk assessments, and any associated risk treatment plans completed by parties other than University Information Security.

Reason for Policy

University data are valuable assets to the University of Minnesota and require appropriate protection. A formal Information Security Risk Management program consistently identifies and tracks information security risks, monitors plans for remediation, and provides guidance for strategic resource planning. It is critical that the University administer formal Information Security Risk Management processes, in order to facilitate compliance with applicable state and federal laws and regulations, protect the confidentiality, integrity, and availability of University of Minnesota data, and enable informed decisions regarding risk tolerance and acceptance.

Contacts

SubjectContactPhoneEmail
Primary ContactBrian Dahlin612-625-1505[email protected]
Responsible Individuals
Responsible Officer Policy Owner Primary Contact
  • Vice President and Chief Information Officer, Office of Information Technology
  • Chief Information Security Officer, Office of Information Technology
  • Brian Dahlin
    Chief Information Security Officer, Office of Information Technology

Definitions

Asset

Information or information technology that has value to the University or which requires protection to meet the University's legal or contractual obligations. Examples of assets can include data, software, hardware, network, and data centers. 

Compensating Control

Alternate control or measure implemented to reduce risk where the preferred security or privacy control could not be met or is not feasible. 

Control

Any administrative, management, technical, or legal method that is used to prevent, detect or correct risks. Controls are also known as safeguards or countermeasures. Controls include practices, policies, procedures, programs, techniques, technologies, guidelines, and organizational structures. 

Data

Information collected, stored, transferred, or reported for any purpose, whether electronically or hard copy. 

Information Security Exception Process

Process by which a unit documents where a requirement within the information security standards in the Information Security Policy cannot be met on an information technology resource. This process includes the acceptance of the risk by the unit. See Requesting an Exception to the Information Security Policy.

Inherent Risk

Level of risk before risk treatments (controls) are applied. 

Private Data

For the purposes of this policy, private-highly restricted and private-restricted are defined in Administrative Policy: Data Security Classification.

Remediation Plan

Process of identifying security risks, assessing controls and guidelines to mitigate risks, and taking corrective action to resolve those risks. 

Residual Risk

Level of risk that remains after risk treatments (controls) are applied to a given risk. 

Risk

The possibility of suffering harm or loss or the potential for realizing unwanted negative consequences of an event. 

Risk Management

The ongoing management process of assessing risks and implementing plans to address them. 

Risk Assessment

The process of taking identified risks and analyzing their potential severity of impact and likelihood of occurrence. 

Risk Treatment

The process of managing assessed or identified risks. Risk treatment options are risk avoidance (withdraw from), sharing (transfer), modification (reduce or mitigate), and retention (acceptance).

Responsibilities

University Chief Information Security Officer (CISO) 

  • Manage the Information Security Risk Management program and coordinate the development and maintenance of Information Security Risk Management policies, procedures, and standards. 
  • Approve residual risk assessment levels and procedures.

Collegiate and Administrative Senior Leadership

  • Participate in the Information Security Risk Management program, including identification of assets and services, allocation of resources, risk prioritization, risk acceptance, and implementation of risk treatment plan. 
  • Consider and jointly accept residual risk and Information Security policy exceptions with the University's Vice President for Information Technology where assessed risk level is medium or high.

Collegiate and Administrative Unit Faculty & Staff

  • Identify all collections and uses of private data and provide to University Information Security upon request. 
  • Collaborate with the University CISO or designate(s) to complete timely information security risk assessments. 
  • Develop and implement a risk treatment plan. 
  • Report progress on the risk treatment plan to the University CISO or designate. 
  • Submit exceptions to the Information Security Policy and work with IT staff through the exceptions process.

Executive Oversight Compliance Committee

  • Provide executive-level oversight for elevated security risks identified by the information security risk management program.

Vice President for Information Technology

  • Consider and jointly accept residual risk and Information Security policy exceptions with Administrative and Academic Senior Leadership where assessed risk level is medium or high.

University Information Security

  • Schedule and prioritize information security risk assessments. 
  • Request from administrative and collegiate faculty and staff information related to their collection and use of private data. 
  • Conduct information security risk assessments. 
  • Process and follow up on requested exceptions to the Information Security policy.

History

Amended:

January 2024 - Comprehensive Review, Minor Revisions: 1. Revised policy statement. 2. Reformatted and updated the Risk Assessment section. 3. New definition for Compensating Control and Remediation Plan. 4. Updated definition of Information Security Exception Process and Private Data with hyperlinks to associated policy and procedures.

Amended:

November 2017 - Comprehensive Review, Minor Revisions: 1. Revise policy statement to clarify that risk management includes managing the exceptions and risk acceptance for the Information Security policy. 2. Update roles and responsibilities, add and align definitions with other information technology policies. 3. Add Related Laws and Regulations section. 4. Add link in the Procedure section to the related procedure in the Information Security policy on Requesting an Exception. 5. Update the Conducting Risk Assessments procedure to align the content with the process flow. 6. Add color to the diagram to highlight the four phases of a risk assessment.

Effective:

January 2014 - New policy. Establishes formal requirements to identify and track information security risks, and implement plans for remediation.