Information Security Risk Management Standard

Table of Contents

1.  Purpose and Background
2.  Standard
     a) Information Security Risk Assessment Tool
3.  Definitions
4.  Related Links
5.  Exceptions


[Return to Library]

1. Purpose and Background

The University of Virginia is committed to preventing incidents that may impact the confidentiality, integrity, and availability of information assets. Identifying, assessing, and mitigating risks is essential for safeguarding information assets.  The Information Security of University Technology Resources policy, establishes the requirement for all departments to participate in the Information Security Risk Management program. The program provides insight into existing risks within a given information technology environment and strategies for reducing or eliminating those risks. The management of each department or unit is required to complete the process:

  • at least annually,
  • when there are significant changes to departmental or unit IT resources, or
  • when there are significant changes to the risk environment.

All departments within the University, College at Wise, Medical Center, and University-Affiliated Organizations are required to complete an annual information security risk assessment to evaluate the effectiveness of information technology (IT) security controls, and thus identify and assess risks within their environments. The Information Security office is charged with assisting departments in the completion of this task by:

  • coordinating and distributing the required annual IT Risk Management Assessment,
  • establishing the annual timeline for its completion, and
  • acting as the central repository for the completed assessments.

The tool is to be used for conducting the required information security risk assessment.

This requirement applies to all departments or units; however, representatives of reporting departments comprised of multiple departmental units may choose to complete a ISRM assessment on behalf the department and its units rather than submitting multiple assessments for such departments. Leadership within each University department or unit is required to ensure that the ISRM assessment is completed at least annually, and whenever there are significant changes to departmental or unit IT resources and/or corresponding risk environment. The ISRM document will ultimately be stored within a central database established and maintained by the Information Security office.

[Table of Contents]

2. Standard

Information Security Risk Assessment Tool

Annual distribution of the information security risk assessment tool is coordinated by the Information Security office, and completion is required.  Procedures for using the tool are highlighted in Information Security Risk Management Procedure

Departments and/or units receiving email correspondence must ensure that instructions contained within the email are followed.

The timeline for completing the annual Information Security Risk Assessment is established each year by the Information Security office. Departments are required to the follow the prescribed timeline, which includes both the ISRM completion and compliance dates.

Departments should take the time to honestly prepare and submit accurate answers, as they are conveying where departmental risks lie and offering areas for improvement.

After initial completion of the required analysis and planning, additional follow up may be necessary to address key issues. Administrative/business and technical leaders from the department must be involved in the process.

[Table of Contents]

3. Definitions

See the list of definitions for the Acceptable Use, Data Protection, Information Security, and Privacy & Confidentiality policies.

[Table of Contents]

4. Related Links

[Table of Contents]

5. Exceptions

If you think you need to request an exception to these requirements, please refer to the Exceptions Process.

[Table of Contents]

APPROVER: Chief Information Officer