Missouri State University

Risk Assessment and Management

Definitions

Risk Assessment: The identification of vulnerabilities and threats to information systems and the likelihood and impact of successful attempts to compromise the systems.

Risk Management: Overall strategy for risk control of information systems through assessment, mitigation, and monitoring.

Information System: Physical or virtual computer that normally includes hardware and/or software, data, applications, and communication that is used by multiple users and is not an individual, unshared workstation.

Policy Statement

A risk assessment must be performed by the Computer Services Information Security Unit on every information system placed into service and be performed periodically thereafter. Internal and external security testing may also be performed periodically at the discretion of the Information Security Unit. Consultation with the Information Security Unit will be done prior to the purchase of any physical information system or the implementation of a virtual information system.

The Information Security Unit will maintain an inventory of all information systems assessed.

Failure of an information System owner to follow this policy may result in detailed monitoring of the owner's systems, disconnection from the network, and/or other appropriate disciplinary action as deemed necessary by the Information Security Officer.

Reason or Purpose for Policy

Risk assessment and management is at the heart of information security and provides the foundation for selecting appropriate security controls. 

Entities Affected by this Policy

All entities contained in or under the direction of the Missouri State University system.

Line of Authority

  1. Responsible Administrator and Office: Chief Information Officer (CIO)
  2. Contact Person in that Office: Information Security Officer (ISO)