Search within:

Information security risk assessment standard

Purpose

This standard establishes the process for assessing risks associated with university data and information systems (“OHIO Systems”) and documenting and communicating the associated risks to university leadership. The objective of the risk assessment process is to assist university leadership in making informed decisions regarding the treatment or acceptance of those risks. The risk assessments will focus on the confidentiality, integrity, and availability of data based on the level of data classification as outlined in the University's Data Classification (93.001) Policy.

Standard

University policy, Information Security Risk Management (91.006),establishes the University’s Information Security Risk Management Program (“ISRMP”). As a part of the ISRMP the Information Security Office (“ISO”) has developed a formal risk assessment framework that is based on the National Institute of Standards and Technology (NIST) 800 Series Publications. The objective of this framework is to provide a consistent approach to identifying, reporting, mitigating, and managing risks associated with OHIO Systems.

OHIO Systems and information security controls implemented by a unit will be assessed through the ISRMP. The fundamental purpose of the risk assessment is the identification, analysis, and reporting of a unit’s current processes and internal controls compared to the processes and internal controls needed to manage information risks associated with OHIO Systems.

The ISRMP risk assessment process will include the following focus areas:

  1. Assessment of controlsThe unit’s existing security controls, processes, and procedures relating to information security will be assessed in accordance with the NIST Framework. The depth and breadth of the assessment will be correlated with the sensitivity of the data processed by the unit and in accordance with any contractual or regulatory requirements to which the unit is subject.
  2. Vulnerability analysis: A vulnerability can be defined as a weakness or flaw in an information system, application, network, or process that can be exploited by a threat actor to compromise the confidentiality, integrity, or availability of a system or information asset. Scans are performed to identify system vulnerabilities on a monthly basis.
  3. Risk analysis: The effectiveness of controls is evaluated and an overall risk level is calculated based on the impact and likelihood of identified threats and vulnerabilities. The objective of the risk analysis portion of the process is to apply consistent evaluation criteria to identified threats and vulnerabilities.
  4. Risk treatment: At the conclusion of the assessment and analysis of controls, threats and vulnerabilities, the unit will be presented with suggested control improvements in the form of a report. Unit leadership will then be responsible for developing a risk treatment plan by indicating the unit’s plan to accept, reduce, transfer or discontinue the associated risk. Approval authority may be delegated if documented in writing, but ultimate responsibility for risk acceptance cannot be delegated, per the policy Information Security Risk Management (91.006). The following table defines the risk treatment options:
Risk treatment options

Risk treatment option
Description
AcceptAccept the risk as is without the intent to implement any mitigating controls.
ReduceIntent to implement controls to mitigate the risk and / or lessen the impact of the risk on the unit.
TransferIntent to transfer the risk in all or in part to a third party or another unit within the university.
DiscontinueStop or discontinue the risk-creating activity.
  1. Risk monitoring –All university units will be subject to periodic monitoring of risks and controls to ensure a continual risk posture that is in line with the university’s level of risk tolerance.

Risk assessment records will be retained by the Information Security Office according to the university policy Records Management and Archiving (93.002) and applicable laws and regulations.

References

Exceptions

All exceptions to this standard must be formally documented with the ISO prior to approval by the Information Security Governance Committee (ISGC). Standard exceptions will be reviewed and renewed on a periodic basis by the ISO.

Request an exception:

Complete Exception request form.

Governance

This standard will be reviewed and approved by the university Information Security Governance Committee as deemed appropriate based on fluctuations in the technology landscape, and/or changes to established regulatory requirement mandates.

Reviewers

The reviewers of this standard are the members of the Information Security Governance Committee representing the following University stakeholder groups:

  • Audit, Risk, & Compliance: Josh Gonzalez, Chief Privacy Officer    
  • Audit, Risk, & Compliance: Larry Wines, Director of Enterprise Risk Management & Insurance    
  • Distributed IT: Rebecca Petty, IT Operations Manager (College of Arts & Sciences) 
  • Faculty: Brian McCarthy, Professor; Senior Associate Dean (College of Arts & Sciences)    
  • Faculty: Shawn Ostermann, Associate Professor (College of Engineering)    
  • Faculty: Bruce Tong, Assistant Professor of Instruction (Scripps College)    
  • Finance: Julie Allison, Associate Vice President, Finance    
  • Human Resources: Michael Courtney, Senior Associate General Counsel/Director of Employee & Labor Relations    
  • Information Technology: Ed Carter (Chair), Chief Information Security Officer and Senior Director, Information Security  
  • Regional Higher Education: Larry Tumblin, Director of IT Relationship Management  
  • Research: Kimberly Littlefield, Associate Vice President for Research Administration    

History

Draft versions of this policy were circulated for review and approved on June 1, 2026.