Information Security Risk Management

General

This section implements Integrated CSU Administrative Manual Policy 8020.0.

The SANS Institute defines risk as "the potential harm that may arise from some current process or from some future event".

From an information security perspective, risk management is the process of understanding and responding to factors that may lead to a failure in the confidentiality, integrity, or availability of an information system.

Risk Assessment

Each T&I manager continually seeks to detect, assess, and mitigate information security risks in their program area.

T&I will establish a documented risk assessment process using qualitative methods that meets or exceeds the requirements of University Policy FA.32.002 – Policy on Risk Management. T&I Leadership and the Information Security Officer or designee will collectively assess any risk that may result in the loss of Level 1 or Level 2 protected data (as defined in University Policy IT.01.002 - Policy of Data Classification Standard) or in significant disruptions to enterprise systems.

Information Security personnel will periodically perform audits of the campus computing environment to look for changes and vulnerabilities that could result in operational risks.

Risk Mitigation

Once a risk to the campus is identified, T&I will take appropriate actions to mitigate the risk. Mitigation strategies in order of preference include—

  • Risk transference, or transferring the risk to other parties such as insurers, suppliers, or software service providers,
  • Risk avoidance, by not allowing actions that would cause the risk to occur,
  • Risk control, using appropriate controls and taking appropriate actions to reduce or prevent the risk, or
  • Risk acceptance, the knowing acceptance of an operational risk that satisfies the University’s policy on risk assessment.