Table of Contents
1. Purpose and Background
The University of Virginia is committed to preventing incidents that may impact the confidentiality, integrity, and availability of information assets. Identifying, assessing, and mitigating risks is essential for safeguarding information assets. The Information Security of University Technology Resources policy, establishes the requirement for all departments to participate in the Information Security Risk Management Program. The program provides insight into existing risks within a given information technology environment and strategies for reducing or eliminating those risks. The management of each department or unit is required to complete the process at least annually, when there are significant changes to departmental or unit IT resources, or when there are significant changes to the risk environment. The department or unit head will sign off on the deliverables from this process, which will be stored in the University's central repository for these documents.
All departments within the University, College at Wise, Medical Center, and Foundations are required to complete an annual risk assessment to evaluate the effectiveness of IT security controls, and thus identify and assess risks within their environments. The Information Security office is charged with assisting departments in the completion of this task by coordinating and distributing the required annual Risk Management Survey, establishing the annual timeline for its completion, and acting as the central repository for the completed assessments. The tool is to be used for conducting the required risk assessment, which includes updating the department’s mission, business continuity, and disaster recovery plans.
This requirement applies to all departments or units; however, representatives of reporting departments comprised of multiple departmental units may choose to complete a survey on behalf the department and its units rather than submitting multiple surveys for such departments. Leadership within each University department or unit is required to ensure that the survey is completed at least annually, and whenever there are significant changes to departmental or unit IT resources and/or corresponding risk environment. The department or unit head must sign off on the deliverables from the survey, which will ultimately be stored within a central database established and maintained by the Information Security office.
Risk Assessment Tool
Annual distribution of the risk assessment tool is coordinated by the Information Security office, and completion is required. Procedures for using the tool are highlighted in the Information Security Risk Management Procedure. Departments and/or units receiving email correspondence must ensure that instructions contained within the email are followed. The timeline for completing the annual Risk Assessment Survey is established each year by the Information Security office. Departments are required to the follow the prescribed timeline, which includes both survey completion and compliance dates. Survey respondents are encouraged to submit draft surveys to the Information Security office prior to submitting to department or unit heads. Surveys are reviewed by the Information Security office and by University Audit. Departments should take the time to honestly prepare and submit accurate answers, as they are conveying where departmental risks lie and offering areas for improvement. After initial completion of the required analysis and planning, additional follow up may be necessary to address key issues. Administrative/business and technical leaders from the department must be involved in the process. The department heads will approve (sign-off) on the completed report.
See the list of definitions for the Acceptable Use, Data Protection, Information Security, and Privacy & Confidentiality policies.
4. Related Links
- Information Security of University Technology Resources (IRM-004)
- Information Security Risk Management Procedures
If you think you need to request an exception to these requirements, please refer to the Exceptions Process.