Information Security Risk Management Procedures

Date: 5/28/2025                             
Last Revised: 5/28/2025                             
Governing Standard: Information Security Risk Management Standard                             
Applies To: Academic Division, the Medical Center, the College at Wise, and University-Associated Organizations.

Table of Contents

1. Purpose and Background   
2. Procedures    
3. Definitions   
4. Related Links   
5. Exceptions

[Return to Library]

 

1. Purpose and Background

The University of Virginia’s Information Security of University Technology Resources policy establishes the requirement for all departments to participate in the Information Security Risk Management Program. All departments within the University, College at Wise, Medical Center, and University-Associated Organizations (UAOs) are required to complete an annual information security risk assessment to evaluate the effectiveness of IT security controls, and thus identify and assess IT risks within their environments. The Information Security office is charged with assisting departments in the completion of this task by coordinating and distributing the required annual Information Security Risk Management tool, as outlined in the Information Security Risk Management Standard. The Information Security office establishes the annual timeline for its completion and acts as the central repository for the completed assessments.

This procedure applies to all departments or units; however, representatives of reporting departments comprised of multiple departmental units may choose to use the tool on behalf the department and its units rather than submitting multiple assessments for such departments.

[Table of Contents]

 

2. Procedures

 

Information Security Risk Management Completion Procedures

The annual Information Security Risk Management (ISRM) has been launched. Please download step-by-step instructions on How to Access and Complete an ISRM here. This Inventory template is available to help you with the inventory questions.

Once the completed ISRM has been reviewed, you will receive an email from Isora and you will be able to log into Isora and download a copy of your report.

The Isora email will have the following address and subject line:

From address: [email protected]

Subject line: Information Security Risk Management (ISRM) for <DEPARTMENT NAME HERE> is complete

Please share the results with your business areas. If you wish to have this sign-off documented for compliance, we are happy to store any emails you share with us within Isora. Otherwise, their sign-off should be stored by the department.

[Table of Contents]

 

3. Definitions

See the list of definitions for the Acceptable Use, Data Protection, Information Security, and Privacy & Confidentiality policies.

[Table of Contents]

 

4. Related Links

[Table of Contents]

 

5. Exceptions

If you think you need to request an exception to these requirements, please refer to the Exceptions Process.

[Table of Contents]

Approved By, Date: Chief Information Security Officer
Next Scheduled Review: 05/28/28
Revision History: 05/28/25; 05/06/22; 11/17/20