Risk Assessment and Management

Op12.07-2 Risk Assessment and Management

Definitions

Risk Assessment: The identification of vulnerabilities and threats to information systems and the likelihood and impact of successful attempts to compromise the systems.

Risk Management: Overall strategy for risk control through assessment, mitigation, and monitoring.

Information System: Physical or virtual computer that normally includes hardware and/or software, data, applications, and communication that is used by multiple users and is not an individual, unshared workstation.

Policy statement

A risk assessment must be performed by the Information Security unit of Information Services on every information system placed into service and be performed periodically thereafter.

Internal and external security testing may also be performed periodically at the discretion of the Information Security unit.

Consultation with the Information Security unit will be done prior to the purchase of any physical information system or the implementation of a virtual information system.

Failure of an information system owner to follow this policy may result in detailed monitoring of the owner's systems, disconnection from the network, and/or other appropriate disciplinary action.