Information Security Risk Management Procedures
Table of Contents
1. Purpose and Background
2. Procedures
a) Survey Tool Completion Procedures
3. Definitions
4. Related Links
5. Exceptions
REVISION HISTORY: May 6, 2022 [1]; November 17, 2020 [2]
1. Purpose and Background
The University of Virginia’s Information Security of University Technology Resources [4] policy, establishes the requirement for all departments to participate in the Information Security Risk Management Program. All departments within the University, College at Wise, Medical Center, and University-Associated Organizations (UAOs) [5] are required to complete an annual information security risk assessment to evaluate the effectiveness of IT security controls, and thus identify and assess IT risks within their environments. The Information Security office is charged with assisting departments in the completion of this task by coordinating and distributing the required annual Information Security Risk Management tool, as outlined in the Information Security Risk Management Standard [6]. The Information Security office establishes the annual timeline for its completion, and acts as the central repository for the completed assessments.
This procedure applies to all departments or units; however, representatives of reporting departments comprised of multiple departmental units may choose to use the tool on behalf the department and its units rather than submitting multiple assessments for such departments.
2. Procedures
Information Security Risk Management Completion Procedures
Participants may access OneTrust [7], the governance, risk, and compliance platform, via Netbadge and then selecting the ISRM 2022 tile.
1. Type in your UVA email address and click “Next” to login through Netbadge.
2. Click on the grid icon at the top left of your screen.
3. Select “Self-Service Portal”
4. Launch the ISRM 2022
5. Complete the form and be sure to hit “Submit”.
For additional information regarding completing the assessment, respondents may visit the FAQ page, located at https://security.virginia.edu/riskmanagement [8].
Note: If a department would prefer to create one primary assesment representing all of its units, the department in question may submit the final survey answers and contact Information Security at is-rm@virginia.edu [9] for options. The Information Security office will duplicate the completed assessment responses across all sub-organizational units.
3. Definitions
See the list of definitions [10] for the Acceptable Use, Data Protection, Information Security, and Privacy & Confidentiality policies.
4. Related Links
- Information Security of University Technology Resources (IRM-004) [4]
- Information Security Risk Management Standard [6]
- Information Security - Risk Management Assessment Guidance [8]
5. Exceptions
If you think you need to request an exception to these requirements, please refer to the Exceptions Process [11].