Risk Assessment Policy
Applies to: | Original Policy Date: | Date of Last Review: | Approved by: |
---|---|---|---|
Florida Tech campus | August 2024 | August 2024 | Dr. John Nicklow, President |
Policy Owner: Information Security Officer (ISO)
Policy Purpose
The purpose of this policy is to ensure compliance with federal and state laws and regulations, protect the confidentiality and integrity of Florida Tech's IT resources, and support informed decision-making regarding risk tolerance and acceptance. This policy aims to systematically identify, evaluate, and manage information security risks to safeguard university assets.
Policy Scope
This policy applies to all members of the Florida Tech community, including faculty, students, administrative officials, staff, alumni, authorized guests, delegates, and independent contractors. It encompasses all uses of Florida Tech's IT resources, whether individually controlled, shared, stand-alone, or networked, both locally and remotely.
Policy Statement
The Information Security Officer (ISO), or designated representatives, will conduct periodic information security risk assessments to identify vulnerabilities and initiate appropriate remediation actions.
Procedures/Guidelines
Risk assessments must:
- Conducting Risk Assessments:
- Annual Assessments: Conduct formal risk assessments annually to account for changes in the security landscape, including new threats, vulnerabilities, and technological advancements.
- Scope Definition: Clearly define the scope of each assessment, ensuring it covers all relevant IT resources, departments, and processes.
- Engagement with Stakeholders: Engage with key stakeholders, including department heads, IT staff, and external experts, to gather input and validate findings during the assessment process.
- Systematic Approach to Risk Analysis and Evaluation:
- Risk Analysis: Use a systematic approach to assess the magnitude of each risk, considering both the potential impact and the likelihood of occurrence. This analysis should involve detailed evaluations of IT systems, processes, and data, and should be capable of producing comparable and reproducible results.
- Risk Evaluation: Compare the results of the risk analysis against predefined risk criteria to determine the significance of each risk. This evaluation will help in deciding which risks require immediate action and which can be monitored over time.
- Guide and Determine Appropriate Management Actions:
- Management Actions: Based on the prioritized risks, determine appropriate risk management strategies. This may include implementing new controls, enhancing existing controls, transferring risks (e.g., through insurance), accepting certain risks, or developing contingency plans.
- Decision-Making: Use the results of the risk assessment to inform decision-making processes related to risk tolerance and acceptance at the university. This ensures that risk management aligns with Florida Tech’s strategic objectives and regulatory requirements.
- Documenting Risk Assessment Findings:
- Comprehensive Documentation: Document the findings of the risk assessment in a detailed report. This report should include the identified risks, their assessed impact and likelihood, prioritized risk rankings, and recommended management actions.
- Risk Register: Maintain a risk register that logs all identified risks, their status, and any mitigation actions taken. The risk register should be regularly updated to reflect new assessments, changes in risk status, and the implementation of mitigation measures.
- Executive Summary: Prepare an executive summary of the risk assessment findings for senior management, highlighting the most critical risks and proposed actions.
- Communicating Risk Assessment Findings:
- Internal Communication: Communicate the findings of the risk assessment to relevant stakeholders within the university, including the Information Security Officer (ISO), IT department, and university leadership. Use meetings, reports, and presentations to ensure that all parties understand the risks and their implications.
- Training and Awareness: Provide training and awareness sessions to inform university community members about the identified risks and their roles in mitigating these risks.
- Tracking and Monitoring Risk Mitigation:
- Action Plans: Develop action plans for each identified risk, outlining the steps required to mitigate or manage the risk. Assign responsibility for each action to specific individuals or departments, with clear timelines for completion.
- Progress Tracking: Use project management tools or a risk management dashboard to track the progress of risk mitigation efforts. Regularly update the status of each risk in the risk register and communicate progress to stakeholders.
- Ongoing Monitoring: Continuously monitor the effectiveness of risk mitigation measures and reassess risks as necessary. Adjust risk management strategies in response to new developments, changing risk landscapes, or the completion of mitigation actions.
Definitions
- Control: A defined process or procedure to reduce risk.
- Inherent Risk: The level of risk before risk treatments (controls) are applied.
- IT Resources: Computing, networking, communications, application, and telecommunications systems, infrastructure, hardware, software, data, databases, personnel, procedures, physical facilities, cloud-based vendors, SaaS vendors, and any related materials and services.
- Residual Risk: The level of risk remaining after risk treatments (controls) are applied.
- Risk: The possibility of suffering harm or loss or the potential for realizing unwanted negative consequences of an event.
- Risk Management: The ongoing process of assessing risks and implementing plans to address them.
- Risk Assessment: The process of taking identified risks and analyzing their potential severity and likelihood of occurrence.
- Risk Treatment: The process of managing assessed or identified risks. Risk treatment options include risk avoidance (withdrawal), sharing (transfer), modification (reduction or mitigation), and retention (acceptance).
Compliance Reference
This policy is in alignment with relevant legal and regulatory requirements, including:
- NIST Cybersecurity Framework: Providing a policy framework for cybersecurity to protect critical infrastructure.
- ISO/IEC 27001: Standards for information security management systems.
- Health Insurance Portability and Accountability Act (HIPAA): Ensuring the security of health-related information.
- Family Educational Rights and Privacy Act (FERPA): Protecting the confidentiality of student records.
Adherence to this policy is critical for maintaining compliance with these standards and regulations, thereby protecting the university's assets and reputation.
Responsibilities
- Information Security Officer (ISO): Responsible for overseeing the risk assessment process, including the development and implementation of the ISRM program, and ensuring that risk assessments are conducted systematically and comprehensively.
- IT Department: Responsible for conducting risk assessments in collaboration with third-party assessors. This includes coordinating with external experts to ensure that all aspects of the IT infrastructure are evaluated for potential risks and vulnerabilities.
- Third-Party Assessors: Engage with the IT department to provide an independent and objective analysis of the university's information security posture, offering recommendations for risk mitigation.
- University Community Members: All users of Florida Tech's IT resources must cooperate with risk assessment activities and comply with any risk mitigation measures identified through these assessments.