Administrative Regulation Title: Risk Management

Regulation Number:   7.1.1

_____________________________________________________________________________________

Purpose:

This Risk Management Administrative Regulation (this “Admin Reg”) sets forth the information security risk management standards of the College (the “Risk Management Program”). Identifying, assessing, and mitigating risks are essential for safeguarding Institutional Resources. The Information Security Policy requires all departments in the College to follow the Risk Management Program in their management, use, and maintenance of Institutional Resources. The Risk Management Program allows for identified risks to be assigned a numerical score based on the impact of such risk and the probability such risk will occur.

Definitions:

Capitalized terms not defined in this Admin Reg have the meaning set forth in the Information Security Policy.

Scope:

This Admin Reg applies to all Institutional Resources and the Personnel involved in management and maintenance of such resources.

Roles and Responsibilities:

The College’s Chief Information Officer (“CIO”) is responsible for creating and managing the Risk Management Program, and coordinating the development and maintenance of program policies, procedures, and standards, including the risk assessment methodology (“RAM”). Personnel who manage and maintain Institutional Resources are responsible for following the established risk management standards.

Overview of Risk Management Standards:

The Office of Information Technology (“OIT”) will work with Personnel to periodically assess the risk to the College and its assets resulting from the operation of IT Resources and processing, storage, or transfer of Institutional Data. Assessments will include analysis of the threats to and vulnerabilities of Institutional Resources, likelihood that such threats or vulnerabilities will be exploited, and potential impact of any such exploitation. Analysis will consider threats and vulnerabilities related to internal assets and entities as well as external entities (i.e., service providers, others acting on behalf of the College, etc.). Risk assessments must identify, quantify, and prioritize risk acceptance and objectives relevant to the College, and the results should guide and determine the appropriate management action and priorities for managing information security risks and for implementing controls to protect against such risks.

Risk Management Program:

Risk management is an ongoing lifecycle that includes the following steps

Step 1.  Categorize

Categorize the IT Resource and/or Institutional Data processed, stored, and transmitted by that resource based on sensitivity and risk of harm to individuals and the College if the information is subject to a breach or unauthorized disclosure, in accordance with the Information Classification Administrative Regulation.

All IT Resources that create, process, store, or transmit Confidential (Level 2) or Highly Sensitive (Level 3) data must be assessed for risk to the College that results from threats to the integrity, availability, and confidentiality of the data. Within the NIST framework, security controls are added or removed based on the data classification level.

Step 2.  Select

Select an initial set of baseline security controls based on the classification levels.

Step 3.  Assess

Assess the extent to which security controls are correctly implemented, operating as intended, and producing the desired outcome.

The core elements of a risk assessment (utilizing the RAM or other approved methodology) include:

  • Scope of assessment;
  • Current state of security control implementation;
  • Documentation of identified threats, vulnerabilities, and risks associated with the resource; and
  • Mitigation recommendations to reduce risks and threat potential to the resource.

Risk assessments for IT Resources that create, store, process, or transmit Confidential (Level 2) or Highly Sensitive (Level 3) data are required to be conducted under the following circumstances:

  • After a major architectural change to the resource;
  • Soon after a serious IT security incident is reported; and/or
  • When required by regulation or law.

OIT may prioritize assessment schedules based upon data classification, institutional priorities, compliance requirements, or contractual obligations.

The chart below summarizes requirements for risk assessments by classification level:

Data Classification LevelRequired or recommendedRisk Assessment Frequency
Highly Sensitive (Level 3)RequiredAs defined by regulation
Confidential (Level 2)RequiredAs defined by regulation, after new system implementation, or after major system change
Public (Level 1)RecommendedAfter new system implementation or after major system change

Assessment Outcomes:

All risk assessment outcomes must be provided to OIT. Once a risk has been identified, using the Risk Matrix in Appendix A, OIT will work with relevant Personnel to assign the threat an impact category and likelihood score that are used to determine the threat’s risk matrix score. The risk matrix score allows for all risks to be evaluated equally in order to appropriately assign resources for mitigation. OIT and relevant Personnel will then work together to develop and implement risk mitigation actions and strategies to reduce the risk to acceptable levels. Risk Treatment Plans (described below) provide the structure for actively managing identified risks.

Risk assessments are considered IT security data classified as Confidential (Level 2) and should be maintained as confidential records and made available only to designated Personnel and others with job-related responsibilities.

Step 4.  Implement

Implement the appropriate risk-reducing controls as identified by the risk assessment process.

A Risk Treatment Plan is provided as soon as possible after completing the risk assessment (within two weeks wherever possible). This is an action plan that requires the assessed area to review all security control recommendations and either: (a) agree to mitigate as stated; or (b) propose alternative or revision to specific control recommendation(s). Plans must be reviewed and accepted by applicable leadership within two months after receipt of the plan.

Components of risk treatment plans include:

  • Applicable risk matrix score(s);
  • Description of security control recommendation(s);
  • Primary Personnel responsibility for each recommendation;
  • Estimated financial costs, time, and staffing resources to carry out identified mitigation recommendations, including estimated start and completion dates; and
  • Metrics to evaluate progress and success.

In general, risks identified by a risk assessment and included in a Risk Treatment Plan must be mitigated or accepted on a priority basis within the following timeframes:

  • 60 days to create remediation plan; and
  • 180 days to address findings, with timeframes running concurrently.

Non-trivial changes to Risk Treatment Plans, once adopted, must be documented and approved by applicable leadership.

Identified risks must be addressed by one of the following:

  • Implementing identified control(s) (information security risk mitigation);
  • Sharing or shifting the risk to another party (information security risk transference); or
  • Assuming or accepting the identified risk (information security risk acceptance).

Step 5.  Evaluate

Evaluate whether an identified but unmitigated risk is acceptable.

In general, Personnel may not unilaterally accept any information security and compliance risk that results in the College’s vulnerability to cyber risks. Specifically:

  • Risks that are given a risk matrix score of 15 (See Appendix A), but not mitigated in an established timeframe may only be accepted on behalf of the College by applicable leadership with the acknowledgement of the CIO, in writing.
  • Approval authority may be delegated if documented in writing, but ultimate responsibility for risk acceptance on behalf of the College cannot be delegated.

Step 6.  Monitor and Follow-up

OIT will follow up with departments and Personnel on an ongoing basis to ensure and track progress of open Risk Treatment Plan items.

 

References:

Information Classification Administrative Regulation

Information Security Policy

 

Revision History:

Original Adoption Date: 1/29/24

Revision Date(s):

Date Reviewed, no change:

Appendix A: Risk Matrix

Impact Category
1 – Insignificant 2 – Minor 3 – Moderate 4 – Major 5 – Catastrophic
  • Brief disruption to service delivery
  • IT services not available for less than 2 hours
  • Data loss isolated to one or a very small group of people affected
  • Financial implications are negligible
  • Some disruption to service delivery of up to 24 hours
  • IT services not available for up to 8 hours
  • Small to medium group of people affected by data loss
  • Some financial implications
  • Disruption to service delivery of up to 48 hours
  • IT services not available for up to 48 hours
  • Large group of people affected by data loss
  • Moderate financial implications
  • Unable to deliver services for more than one week
  • IT services not available for more than one week
  • Significant group of people affected by data loss
  • High financial implications
  • Rebuilding of foundational systems required
  • IT services not available for more than one month
  • Very high financial implications
  • Brand tarnished to the extent that re-branding may be necessary

 

Likelihood Score 1 2 3 4 5
Probability Rare Unlikely Possible Likely Certain
Frequency Expected no more than once every other year Expected every year Expected every month Expected weekly Expected daily

 

Risk Matrix Score
Impact Likelihood
1 Rare 2 Unlikely 3 Possible 4 Likely 5 Certain
5 Catastrophic 5 10 15 20 25
4 Major 4 8 12 16 20
3 Moderate 3 6 8 12 15
2 Minor 2 4 6 8 10
1 Insignificant 1 2 3 4 5