Purpose
To provide Â鶹ӰÊÓ with guidance in identifying and gaining an understanding of the components of the institution that make up its information security system and thereby enable Â鶹ӰÊÓ to manage cybersecurity risk to systems, assets, data, and capabilities.
Policy
Risk assessments take into account threats, vulnerabilities, likelihood, and impact to Â鶹ӰÊÓ assets, individuals, and other organizations based upon the use of the Â鶹ӰÊÓ system. Â鶹ӰÊÓ periodically conducts assessments of risk, which include the likelihood and magnitude of harm from the unauthorized access, use, disclosure, disruption, modification and/or destruction of the Â鶹ӰÊÓ system, system components, and the information processed, stored or transmitted by the system. Risk assessment results are documented and reviewed by the Â鶹ӰÊÓ Security Official or designee. The risk assessment results are then disseminated to appropriate faculty and staff including, but not limited to, the Â鶹ӰÊÓ executive staff. Risk assessments are conducted annually by Â鶹ӰÊÓ or whenever there are significant changes to Â鶹ӰÊÓ, its system, or other conditions that may impact the security of Â鶹ӰÊÓ.
Summary
- Physical (hardware) and software assets will be assessed as to vulnerability and those vulnerabilities will be documented.
- From time to time a vulnerability scan on those assets will be conducted in order to assess vulnerability in either the information system or its hosted applications.
- Â鶹ӰÊÓ uses a variety of sources in order to assist in determining asset vulnerabilities.
- These sources can include but are not limited to US-CERT bulletins, InfraGard, the Federal Trade Commission (FTC) and the Research Education Networking Information Sharing and Analysis Center (RENISAC)
- When threats are identified they will be documented as to type of threat, a description of the threat and the characteristics of the threat.
- Threats will be classified in relationship to the potential for adverse impact on the College.
- Once a risk is identified, it will be reduced or mitigated.
- Â鶹ӰÊÓ understands that risks exist regardless of efforts and will address risks as they become suspected or evident.
Risk Assessment Policy Details [pdf]