Search This Site


Main menu

Information Security Risk Management Procedures

Table of Contents

1.  Purpose and Background
2.  Procedures
     a) Survey Tool Completion Procedures
3.  Definitions
4.  Related Links
5.  Exceptions

REVISION HISTORY: November 17, 2020

[Return to Library]

1. Purpose and Background

The University of Virginia’s Information Security of University Technology Resources policy, establishes the requirement for all departments to participate in the Information Security Risk Management Program.  All departments within the University, College at Wise, Medical Center, and Foundations are required to complete an annual risk assessment to evaluate the effectiveness of IT security controls, and thus identify and assess risks within their environments. The Information Security office is charged with assisting departments in the completion of this task by coordinating and distributing the required annual Risk Management Survey, as outlined in the Information Security Risk Management Standard.  The Information Security office establishes the annual timeline for its completion, and acts as the central repository for the completed assessments. The survey is a tool to be used for conducting the required risk assessment.

This procedure applies to all departments or units; however, representatives of reporting departments comprised of multiple departmental units may choose to use the tool on behalf the department and its units rather than submitting multiple assessments for such departments.

[Table of Contents]

2. Procedures

Survey Tool Completion Procedures

Participants are invited to access the survey system via email either by the Information Security office or by an existing user within a common department or unit who is reassigning the completion of the survey to another user. If a respondent is not invited for any reason, he or she may contact the Information Security office at [email protected] to request access.

  1. Once access is granted, respondents are guided through a series of online questions within the survey system. Because the entire survey is self-disclosed, departments must provide as accurate as possible a representation of the actual risk landscape within their IT environment.
  2. Clicking the navigational buttons--  a back arrow and  a forward arrow--at the bottom of each page will guide the user through the survey.
  3. Requests for additional user input will appear throughout the survey, which will consist of document upload links and text box input fields.  This input is required in order to proceed with the tool, so users should input the additional information as requested.
  4. Information Security will review survey responses following completion of the assessment. If the Information Security office determines that significant risk has been unduly accepted by the department, they will escalate the approval of a department’s risk management plan to more senior level management.
  5. Once surveys and any follow-up have been completed, survey responses are migrated and stored within the survey database acting as the central repository.

For additional information regarding completing surveys, respondents may visit the survey FAQ page, located at

Note: If a department would prefer to create one primary survey representing all of its units, the department in question may submit the final survey answers and contact Information Security at [email protected] for options. The Information Security office will duplicate the completed survey responses across all sub-organizational units.

[Table of Contents]

3. Definitions

See the list of definitions for the Acceptable Use, Data Protection, Information Security, and Privacy & Confidentiality policies.

[Table of Contents]

4. Related Links

[Table of Contents]

5. Exceptions

If you think you need to request an exception to these requirements, please refer to the Exceptions Process.

[Table of Contents]

APPROVER: Chief Information Security Officer

Report an Information
Security Incident

Please report any level of incident, no matter how small. The Information
Security office will evaluate the report and provide a full investigation if appropriate.

Complete Report Form