University of Minnesota  Procedure

Conducting Risk Assessments


Information Security Risk Management (ISRM) is the process with which the University identifies information security risks and determines their likelihood and impact, incorporates the implementation of plans for remediation, and provides guidance for strategic resource planning.

The University of Minnesota has been described as a collection of organizations with a variety of governance structures, therefore while the Information Security Risk Management Process Diagram below represents the majority of the Information Security Risk Management business processes, variations of the processes are normal and should be expected.

Schedule an Information Security Risk Assessment

To request an Information Security Risk Assessment, email [email protected]

The Information Security Risk Management program will also schedule Information Security Risk Assessments.

University Information Security will be responsible for scheduling and prioritizing assessments.

Conduct a Risk Assessment

A standardized approach will be followed for risk assessment, treatment, and monitoring & review.  There are four phases as detailed in overall process diagram below

Assets determined to have a moderate-to-high importance, or assets without appropriate security controls will be provided with an in-depth risk assessment, and an ISRM analyst who will work collaboratively with the unit to determine a risk treatment plan.  The unit is responsible for the implementation of the risk treatment plan.

Results of Risk Assessments are owned by both the Administrative or Collegiate unit and University Information Security.

Conducting Risk Assessment Diagram

Additional detailed process information is published on the University Information Security Web Site.