To protect the confidentiality, integrity, and availability of University of Minnesota data in compliance with applicable state and federal laws and regulations, the University of Minnesota has formal information security risk management processes. The University uses a formal Information Security Risk Management (ISRM) program that identifies risks and implements plans to address and manage them.
The University Chief Information Security Officer (CISO) is responsible for managing the Information Security Risk Management program and coordinating the development and maintenance of program policies, procedures, and standards. The Information Security Risk Management program includes the process for managing exceptions to the Information Security policy and the risk acceptance process.
The University CISO develops an annual information security risk assessment plan in consultation with collegiate and administrative units. Risk assessments are performed on information assets, systems, processes and controls, based on risk criticality.
Collegiate and administrative units must identify all collections and uses of private data to University Information Security upon request, collaborate with the University CISO to complete information security risk assessments, and develop and implement a risk treatment plan. Units must report updates to the risk treatment plan to the University CISO or designate. Units must share with University Information Security the results of risk assessments, and any associated risk treatment plans completed by parties other than University Information Security.
Reason for Policy
University data are valuable assets to the University of Minnesota and require appropriate protection. A formal Information Security Risk Management (ISRM) program consistently identifies and tracks information security risks, implements plans for remediation, and provides guidance for strategic resource planning. It is critical that the University administer formal ISRM processes, in order to facilitate compliance with applicable state and federal laws and regulations, protect the confidentiality, integrity, and availability of University of Minnesota data, and enable informed decisions regarding risk tolerance and acceptance.