Conducting Risk Assessments
Information Security Risk Management (ISRM) is the process with which the University identifies information security risks and determines their likelihood and impact, incorporates the implementation of plans for remediation, and provides guidance for strategic resource planning.
The University of Minnesota has been described as a collection of organizations with a variety of governance structures, therefore while the Information Security Risk Management Process Diagram below represents the majority of the Information Security Risk Management business processes, variations of the processes are normal and should be expected.
Schedule an Information Security Risk Assessment
To request an Information Security Risk Assessment, email firstname.lastname@example.org.
The Information Security Risk Management program will also schedule Information Security Risk Assessments.
University Information Security will be responsible for scheduling and prioritizing assessments.
Conduct a Risk Assessment
A standardized approach will be followed for risk assessment, treatment, and monitoring & review. There are four phases as detailed in overall process diagram below
Assets determined to have a moderate-to-high importance, or assets without appropriate security controls will be provided with an in-depth risk assessment, and an ISRM analyst who will work collaboratively with the unit to determine a risk treatment plan. The unit is responsible for the implementation of the risk treatment plan.
Results of Risk Assessments are owned by both the Administrative or Collegiate unit and University Information Security.
Additional detailed process information is published on the University Information Security Web Site.