IT0124 – Risk Assessment
This policy establishes a formal, documented, IT risk assessment process for the University.
This policy applies to all users of and information technology (IT) resources owned, operated, or provided by the University of Tennessee System including its campuses, institutes, and administration (University and/or Campuses).
“Users” includes but is not limited to students, faculty, staff, contractors, agents, representatives, and visitors accessing, using, or handling the University’s information technology resources.
Information transmitted or stored on University IT resources is the property of the University unless it is specifically identified as the property of other parties.
The University has chosen to adopt the policy principles established in the National Institute of Standards (NIST) 800 series of publications, and this policy is based on those guidelines.
The Chancellor or equivalent at each Campus must designate an individual or functional position responsible for information security at their Campus (Position of Authority and/or Campus Authority). The individual or position should be at a high enough organizational level to allow him/her/it to speak with authority on and for the Campus.
Each Campus must develop or adopt and adhere to a program which demonstrates compliance with this policy and related standards. This program is the responsibility of the Position of Authority.
A Campus may apply more stringent requirements than those documented in this policy provided they do not conflict with or lower the standards or requirements established by this or any other University policy.
Each User of University resources is required to be familiar and comply with University policies. Acceptance of this policy is assumed if a User accesses, uses, or handles University resources.
All University owned information systems that are themselves or contain data classified as Moderate or High per University policy IT0155 shall undergo an appropriate level of IT risk assessment as part of the risk management process. Risk management is an information systems lifecycle approach and not a single point of time evaluation. It is the responsibility of the information system owner to ensure risk is managed.
The relevant definitions and responsibilities of information system owners are documented in University policy IT0115, Information and Computer System Classification.
There are two types of risk common to the university environment: enterprise risk and system risk.
- Enterprise security risks are common to all information and/or systems at a Campus and the identification and management of these risks are subject to the risk evaluation by and tolerance of the Position of Authority at each campus. Each campus is responsible for the management of enterprise security risk, through the deployment of campus-wide plans and procedures.
- Information system security risks involve specific information systems and business processes, which most often have a single department or information system owner. The information system owner is responsible for ensuring adherence to both university-wide risk management activities and information system-specific risks.
The Campus IT risk assessment process shall contain the following:
- Security Categorization
Each Campus shall implement a program for categorizing information and systems as defined in University policy IT0115, Information and Computer System Classification, and in accordance with applicable state and federal laws and University directives and policies. The program shall document the security categorization results for all information systems for review and evaluation purposes.
- Risk Assessment
Each campus shall create and implement an IT risk assessment process with defined and documented procedures that consider threats inherent in information use while balancing the business needs of the Campus. The process shall evaluate the likelihood and magnitude of harm from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits. This includes recording all risk assessment results, routinely reviewing the risk assessments, and updating the process whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security of the information system.
The process shall take into account risk from external parties (e.g., service providers, contractors operating information systems on behalf of the organization, individuals accessing organizational information systems, outsourcing entities).
The IT risk assessment process shall follow the steps defined in NIST Special Publication 800-100. Each Campus shall create and implement their own Risk Assessment process.
- Vulnerability Management
Each Campus shall develop or adopt a program to manage system vulnerabilities.
Risk – Risk is a threat and a vulnerability that may result in unwanted loss of assets or delays to normal business operations.
Information Technology (IT) Risk Assessment – The process of identifying and measuring the factors that could negatively affect the security of information technology resources.
March 11, 2015