Information Security Risk Management
Responsible University Officer(s):
- Vice President for Information Technology
- Chief Information Security Officer
To protect the confidentiality, integrity, and availability of University of Minnesota data in compliance with applicable state and federal laws and regulations, the University of Minnesota has formal information security risk management processes. The University uses a formal Information Security Risk Management (ISRM) program that identifies risks and implements plans to address and manage them.
The University Chief Information Security Officer (CISO) is responsible for managing the Information Security Risk Management program and coordinating the development and maintenance of program policies, procedures, and standards. The Information Security Risk Management program includes the process for managing exceptions to the Information Security policy and the risk acceptance process.
The University CISO develops an annual information security risk assessment plan in consultation with collegiate and administrative units. Risk assessments are performed on information assets, systems, processes and controls, based on risk criticality.
Collegiate and administrative units must identify all collections and uses of private data to University Information Security upon request, collaborate with the University CISO to complete information security risk assessments, and develop and implement a risk treatment plan. Units must report updates to the risk treatment plan to the University CISO or designate. Units must share with University Information Security the results of risk assessments, and any associated risk treatment plans completed by parties other than University Information Security.
REASON FOR POLICY
University data are valuable assets to the University of Minnesota and require appropriate protection. A formal Information Security Risk Management (ISRM) program consistently identifies and tracks information security risks, implements plans for remediation, and provides guidance for strategic resource planning. It is critical that the University administer formal ISRM processes, in order to facilitate compliance with applicable state and federal laws and regulations, protect the confidentiality, integrity, and availability of University of Minnesota data, and enable informed decisions regarding risk tolerance and acceptance.
|Primary Contact||Brian Dahlinfirstname.lastname@example.org|
- Information or information technology that has value to the University or which requires protection to meet the University's legal or contractual obligations. Assets can include data, software, hardware, network, data center.
- Any administrative, management, technical, or legal method that is used to prevent, detect or correct risks. Controls are also known as safeguards or countermeasures. Controls include practices, policies, procedures, programs, techniques, technologies, guidelines, and organizational structures.
- Information collected, stored, transferred or reported for any purpose, whether electronically or hard copy.
- Exception Process
- Process by which a unit documents where a requirement within the information security standards in the Information Security Policy cannot be met on an information technology resource. This process includes the acceptance of the risk by the unit.
- Inherent Risk
- Level of risk before Risk Treatments (controls) are applied.
- Private Data
- For the purposes of this policy, private-highly restricted and private-restricted are defined in Administrative Policy: Data Security Classification.
- Residual Risk
- Level of risk that remains after Risk Treatments (controls) are applied to a given Risk.
- The possibility of suffering harm or loss or the potential for realizing unwanted negative consequences of an event.
- Risk Management
- The ongoing management process of assessing risks and implementing plans to address them.
- Risk Assessment
- The process of taking identified risks and analyzing their potential severity of impact and likelihood of occurrence.
- Risk Treatment
- The process of managing assessed or identified risks. Risk treatment options are risk avoidance (withdraw from), sharing (transfer), modification (reduce or mitigate) and retention (acceptance).
- University Chief Information Security Officer (CISO)
- Manage the Information Security Risk Management program and coordinate the development and maintenance of Information Security Risk Management policies, procedures, and standards.
- Approve residual risk assessments level and procedures.
- Administrative and Academic Senior Leadership
- Participate in the Information Security Risk Management program, including identification of assets and services, allocation of resources, risk prioritization, risk acceptance, and implementation of risk treatment plan.
- Consider and jointly accept residual risk and Information Security policy exceptions with University’s Vice President for Information Technology where assessed risk level is medium or high.
- Administrative and Collegiate Faculty and Staff
- Identify all collections and uses of private data and provide to University Information Security upon request.
- Collaborate with the University CISO to complete information security risk assessments.
- Develop and implement a risk treatment plan.
- Report updates on the risk treatment plan to the University CISO or designate.
- Submit exceptions to the Information Security Policy and work with University Information Security through the exceptions process.
- Executive Oversight Compliance Committee
- Provide executive-level oversight for elevated security risks identified by the information security risk management program.
- Vice President for Information Technology
- Consider and jointly accept residual risk and Information Security policy exceptions with Administrative and Academic Senior Leadership where assessed risk level is medium or high.
- University Information Security
- Schedule and prioritize information security risk assessments.
- Request from administrative and collegiate faculty and staff information related to their collection and use of private data
- Conduct information security risk assessments.
- Process and follow up on requested exceptions to the Information Security policy.
Related Laws and Regulations
- Health Insurance Portability and Accountability Act (HIPAA)
- Family Educational Rights and Privacy Act (FERPA)
- Gramm-Leach Bliley Act (GLBA)
- Minnesota Data Practices Act
- Payment Card Industry Data Security Standard (PCI DSS)
- November 2017 - Comprehensive Review, Minor Revisions: 1. Revise policy statement to clarify that risk management includes managing the exceptions and risk acceptance for the Information Security policy. 2. Update roles and responsibilities, add and align definitions with other information technology policies. 3. Add Related Laws and Regulations section. 4. Add link in the Procedure section to the related procedure in the Information Security policy on Requesting an Exception. 5. Update the Conducting Risk Assessments procedure to align the content with the process flow. 6. Add color to the diagram to highlight the four phases of a risk assessment.
- January 2014 - New policy. Establishes formal requirements to identify and track information security risks, and implement plans for remediation.