1. Purpose

   The information security risk management program ("ISRMP") is the formal process to manage information security risks to Ohio university ("Ohio") to ensure the confidentiality, integrity and availability of university data and information systems ("Ohio systems"), as outlined in the policy 93.001 “Data classification”. The ISRMP serves a strategic role in addressing the constantly evolving information security threat landscape by aligning our information technology practice with the university’s risk tolerance.

2. Scope

   This policy applies to all data created, collected, stored, processed or transmitted by the university and Ohio systems. 

3. Policy

   1. Ohio systems will be assessed for any risks or threats to the integrity, availability and confidentiality of data prior to significant changes to Ohio systems, in accordance with the university information security officer role as outlined in policy 93.001 "Data classification".

   2. Assessments will be performed periodically for Ohio systems that store, process or transmit sensitive data.

   3. Risks identified from an assessment will be mitigated, transferred or accepted by the responsible business owner as described in policy 93.001 "Data classification".

   4. Residual risks will only be accepted by those person(s) with the appropriate level of authority, based on the level of risk determined by the information security office ("ISO"). Approval authority may be delegated if documented in writing, but ultimate responsibility for risk acceptance cannot be delegated.

      Risk Level	Risk Acceptance Responsibility
      High	President or delegate
      Medium	Deans & administrative officers
      Low	Business owner

   5. Each mission critical Ohio system will have a system security plan, prepared using input from risk, security and vulnerability assessments, by the responsible business owner.

4. Responsibilities

   1. The ISO will provide assessments of risks and recommendations to remediate discrepancies found according to industry specific frameworks, methodologies, or business best practices.
   2. Business owners will be responsible for ensuring that mission critical Ohio systems being maintained by them are adequately assessed for risk, and that any identified risks are accepted, mitigated, or transferred.

5. Enforcement

   Users, as defined in policy 91.005 "Information security" will report any non-compliance with any part of this policy to the ISO (security@ohio.edu).

   Users who do not comply with this policy or related information security standards may be denied access to information technology ("IT") resources, as well as be subjected to disciplinary action, up to and including termination.

6. Exceptions

   As defined in policy 91.005 "Information security"

7. Authority

   Policy 91.005 "Information security"

Reviewers

Proposed revisions of this policy should be reviewed by:

1. Academic Leadership

2. Vice President for Finance & Administration Leadership

3. Faculty Senate

4. Student Senate

Forms, References, and History

1. Forms

   The following forms are specific to this policy:

   1. The “Exception Request Form” is available from ISO or online through https://www.ohio.edu/oit/security
   2. The “Policy Exception Template” is available from ISO or online through https://www.ohio.edu/oit/security
   3. The “Risk Acceptance Form” is available from ISO or online through https://www.ohio.edu/oit/security

2. References

   The following items are relevant to this policy:

   1. Policy 93.001 “Data Classification”
   2. Policy 91.005 “Information Security”
   3. NIST 800 Series Publications
   4. HIPAA Security Rule 
   5. OU‑RM‐XXXXX: Information Security Risk Assessment Standard
   6. OU‑SS‑XXXXX: System Security Plans Standard
   7. OU‑VM-XXXXX: Third Party Vendor Management Standard

3. History

   Draft versions of this policy that were circulated for review, their cover memos, their forms and reviewers’ comments on them are available on the password-protected review site, at https://www.ohio.edu/policy2/91-006.