Information security risk management strategy
In accordance with university policy 91.006:Information Security Risk Management, the Information Security Risk Management Program (ISRMP) is the formal process by which the university manages risks to the confidentiality, integrity, and availability of university data and information systems. Ohio University (OHIO) maintains a risk-management framework which requires periodic risk assessments of systems and applications, as well as departmental business processes, that store, maintain, or process institutional data.
Management of institutional risk is a core component of OHIO’s ISRMP. To facilitate the management of such risks, OHIO has adopted the NIST Risk Management Framework as a guide to its institution-wide risk-based approach for assessing and prioritizing resource allocation for managing identified risks to systems, data, and processes.
Risk assessments can identify security gaps within a unit or information system and play an important role in determining the overall information security posture of the unit or system. Risk assessments conducted across campus help in determining the university’s overarching information security profile, as well as identifying common risks and deficiencies.
The OHIO ISRMP consists of a continuous lifecycle that includes the following steps:
Step 1: Categorize
Categorize the information system and the information and data processed, stored, and transmitted by that system/unit based on sensitivity and corresponding risk of harm to individuals and the university if the information is subject to a breach or unauthorized disclosure.
All information systems that create, process, store, or transmit High Sensitivity data must be assessed for risk to the university that results from threats to the integrity, availability, and confidentiality of the data.
The sensitivity level of information assets shall be categorized according to their confidentiality, integrity and availability base on the procedures set forth in university Policy 93.001: Data Classification.
Step 2: Assess
Assess the extent to which security controls are effectively implemented, operating as intended, and producing the desired outcome.
The core elements of a risk assessment include:
- Scope of assessment
- Current state of security control implementation (fully implemented, partially implemented, planned or non-existent).
- Documentation of identified threats, vulnerabilities, and risks associated with the system
- Recommendations for improvements in security controls to reduce risks and threat potential to the systems or processes.
Risk assessments for systems, applications, or areas that create, store, process, or transmit High Sensitivity level data are required to be conducted according to the following schedule, either by the Information Security Office (ISO) staff or other approved-by-ISO qualified security professionals:
- Every four years at a minimum, based on priority
- Soon after a serious IT security incident is reported
- When required by regulation or law
Due to staffing constraints, ISO may prioritize assessment schedules based upon data classification, institutional priorities, compliance requirements, or contractual obligations.
Units known to process highly sensitive data may include, but not be limited to; Admissions, Bursar, Registrar, Financial Aid, Speech & Hearing Clinic, WellWorks, HR and HR Benefits, Physical Therapy, Legal Affairs, Housing, Research, Grants & Accounting and Institutional Research.
Risk assessments for non-mission critical systems or applications that create, store, process, maintain, or transmit Moderate Sensitivity or Low Sensitivity data may not be conducted by ISO staff and may be done by unit staff utilizing the ISO Risk Management Framework or less rigorous security assessment methodology.
The chart below summarizes requirements for risk assessments by data classification level and mission criticality (High Sensitivity data classification requires an assessment regardless of criticality designation):
| Data classification level/mission criticality | Required or recommended | Risk assessment frequency | Assessment performed by |
|---|---|---|---|
| High | Required | Minimum of Every 4 Years, or Annually -dependent upon the applicable regulatory compliance requirements. | ISO, or Approved by ISO Security Professionals |
| Moderate or Low/Critical | Required | Every 4 Years | ISO or Unit IT |
| Moderate or Low/Non-Critical | Recommended | Every 4 Years | Unit IT |
Assessment outcomes
- The results of unit-conducted risk assessments, and any associated remediation plans, must be provided to ISO.
- Once a risk has been identified, units will work with ISO to develop and implement risk mitigation actions and strategies to reduce the risk to acceptable levels. Risk Treatment Plans provide the structure for actively managing identified risks.
- A Risk Assessment Report is provided to the assessed area after completing the risk assessment process, within two weeks whenever possible.
- Risk Assessment Reports are considered IT security data classified as High Sensitivity and should be maintained as confidential records, made available only to designated staff or assessed units and others with job-related responsibilities, such as Internal Audit and Legal Affairs.
Step 3: Implement
Implement the appropriate risk-reducing controls as identified by the risk assessment process.
A Risk Treatment Plan is provided as soon as possible after completing the risk assessment, within two weeks wherever possible. This is an action plan which requires the assessed area to review all security control recommendations and either:
- Accept the risk, subject to appropriate authority as follows:
| Risk level | Risk acceptance responsibility |
|---|---|
| High | President or Delegate |
| Medium | Deans & Administrative Officers |
| Low | Business Owner |
Note: Approval authority may be delegated if documented in writing, but ultimate responsibility for risk acceptance cannot be delegated.
- Agree to mitigate the risk as stated or propose alternative or revision to specific control recommendation(s).
- Transfer the risk (sharing or shifting the risk to another party).
Plans must be reviewed and accepted by unit leadership within two months after receipt of the plan. Acceptance of the final risk treatment plan shall be communicated to ISO in writing.
Components of risk treatment plans include:
- Description of security control recommendation
- Responsibility matrix associated with each recommendation identifying those individuals to whom are responsible, accountable, consulted and informed for each recommendation
- Estimated financial costs, time and staffing resources to carry out identified mitigation recommendations, including estimated start and completion dates
- Metrics to evaluate progress and success.
In general, risks identified by a risk assessment and included in a Risk Treatment Plan must be mitigated or accepted on a priority basis within the stipulated time frame of the Risk Treatment Plan. Non-trivial changes to Plans, once adopted, must be documented and accepted in writing by unit leadership, principal investigator, or other appropriate senior official.
Risk Treatment Plans must be completed within two years unless otherwise specified. Wherever possible, it is recommended that highest priority items should be addressed first.
Step 4: Authorize
Authorize that an identified but unmitigated risk is acceptable.
Risks are expressed in the Risk Assessment Report as High, Medium, and Low.
In general, OHIO units and individuals may not unilaterally accept information security and compliance risk that results in the greater university’s vulnerability to cyber risks. Specifically:
- Residual high risks identified in risk assessments, but not mitigated in an established timeframe may only be accepted on behalf of the university by executive leadership.
- Approval authority may be delegated if documented in writing, but ultimate responsibility for risk acceptance on behalf of the university cannot be delegated.
Step 5: Monitor and follow-up
ISO will follow up with units on an ongoing basis to ensure and track progress of open Risk Treatment Plan items.
References
- NIST SP 800-30, Revision 1: Guide for Conducting Risk Assessments
- Policy 91.006 Information Security Risk Management
- Policy 93.001: Data Classification
Governance
This standard will be reviewed and approved by the university Information Security Governance Committee as deemed appropriate based on fluctuations in the technology landscape, and/or changes to established regulatory requirement mandates.
Reviewers
The reviewers of this standard are the members of the Information Security Governance Committee representing the following University stakeholder groups:
- Information Technology: Ed Carter (Chair)
- Human Resources: Michael Courtney
- Faculty: Hans Kruse
- Faculty: Brian McCarthy
- Finance and Administration: Julie Allison
- Associate Dean: Shawn Ostermann
- Regional Higher Education: Larry Tumblin
- Research and Sponsored Programs: Maureen Valentine
- Enterprise Risk Management and Insurance: Larry Wines
History
Draft versions of this policy were circulated for review and approved on 02/03/2022.