Information security risk assessment standard
Purpose
This standard establishes the process for assessing risks associated with university data and information systems (“OHIO Systems”) and documenting and communicating the associated risks to university leadership. The objective of the risk assessment process is to assist university leadership in making informed decisions regarding the treatment or acceptance of those risks. The risk assessments will focus on the confidentiality, integrity, and availability of data based on the level of data classification as outlined in the University's Data Classification (93.001) Policy.
Standard
University policy, Information Security Risk Management (91.006),establishes the University’s Information Security Risk Management Program (“ISRMP”). As a part of the ISRMP the Information Security Office (“ISO”) has developed a formal risk assessment framework that is based on the National Institute of Standards and Technology (NIST) 800 Series Publications. The objective of this framework is to provide a consistent approach to identifying, reporting, mitigating, and managing risks associated with OHIO Systems.
OHIO Systems and information security controls implemented by a unit will be assessed through the ISRMP. The fundamental purpose of the risk assessment is the identification, analysis, and reporting of a unit’s current processes and internal controls compared to the processes and internal controls needed to manage information risks associated with OHIO Systems.
The ISRMP risk assessment process will include the following focus areas:
- Assessment of controls: The unit’s existing security controls, processes, and procedures relating to information security will be assessed in accordance with the NIST Framework. The depth and breadth of the assessment will be correlated with the sensitivity of the data processed by the unit and in accordance with any contractual or regulatory requirements to which the unit is subject.
- Vulnerability analysis: A vulnerability can be defined as a weakness or flaw in an information system, application, network, or process that can be exploited by a threat actor to compromise the confidentiality, integrity, or availability of a system or information asset. Scans are performed to identify system vulnerabilities on a monthly basis.
- Risk analysis: The effectiveness of controls is evaluated and an overall risk level is calculated based on the impact and likelihood of identified threats and vulnerabilities. The objective of the risk analysis portion of the process is to apply consistent evaluation criteria to identified threats and vulnerabilities.
- Risk treatment: At the conclusion of the assessment and analysis of controls, threats and vulnerabilities, the unit will be presented with suggested control improvements in the form of a report. Unit leadership will then be responsible for developing a risk treatment plan by indicating the unit’s plan to accept, reduce, transfer or discontinue the associated risk. Approval authority may be delegated if documented in writing, but ultimate responsibility for risk acceptance cannot be delegated, per the policy Information Security Risk Management (91.006). The following table defines the risk treatment options:
Risk treatment option | Description |
|---|---|
| Accept | Accept the risk as is without the intent to implement any mitigating controls. |
| Reduce | Intent to implement controls to mitigate the risk and / or lessen the impact of the risk on the unit. |
| Transfer | Intent to transfer the risk in all or in part to a third party or another unit within the university. |
| Discontinue | Stop or discontinue the risk-creating activity. |
- Risk monitoring –All university units will be subject to periodic monitoring of risks and controls to ensure a continual risk posture that is in line with the university’s level of risk tolerance.
Risk assessment records will be retained by the Information Security Office according to the university policy Records Management and Archiving (93.002) and applicable laws and regulations.
References
- Policy 91.003 Data Classification
- Policy 91.006 Information Security Risk Management
- Policy 91.005 Information Security
- Policy 93.002 Records Management and Archiving
- NIST 800 Series Publications
- Information Security Standard: Third Party Vendor Management
- Administrative Procedure: Ohio University’s Information Security Risk Management Strategy
Exceptions
All exceptions to this standard must be formally documented with the ISO prior to approval by the Information Security Governance Committee (ISGC). Standard exceptions will be reviewed and renewed on a periodic basis by the ISO.
Request an exception:
Complete Exception request form.
Governance
This standard will be reviewed and approved by the university Information Security Governance Committee as deemed appropriate based on fluctuations in the technology landscape, and/or changes to established regulatory requirement mandates.
Reviewers
The reviewers of this standard are the members of the Information Security Governance Committee representing the following University stakeholder groups:
- Audit, Risk, & Compliance: Josh Gonzalez, Chief Privacy Officer
- Audit, Risk, & Compliance: Larry Wines, Director of Enterprise Risk Management & Insurance
- Distributed IT: Rebecca Petty, IT Operations Manager (College of Arts & Sciences)
- Faculty: Brian McCarthy, Professor; Senior Associate Dean (College of Arts & Sciences)
- Faculty: Shawn Ostermann, Associate Professor (College of Engineering)
- Faculty: Bruce Tong, Assistant Professor of Instruction (Scripps College)
- Finance: Julie Allison, Associate Vice President, Finance
- Human Resources: Michael Courtney, Senior Associate General Counsel/Director of Employee & Labor Relations
- Information Technology: Ed Carter (Chair), Chief Information Security Officer and Senior Director, Information Security
- Regional Higher Education: Larry Tumblin, Director of IT Relationship Management
- Research: Kimberly Littlefield, Associate Vice President for Research Administration
History
Draft versions of this policy were circulated for review and approved on June 1, 2026.