The National Institute for Standards and Technology defines Risk Management as “The process of managing risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of an information system, and includes: (i) the conduct of a risk assessment; (ii) the implementation of a risk mitigation strategy; and (iii) employment of techniques and procedures for the continuous monitoring of the security and privacy state of the information system.”
To fulfill its mission of Risk Management, CCIT’s Office of Information Security (OIS) has taken the following steps:
OIS performs risk assessments as part of the procurement and vendor management process, as part of our ongoing vulnerability management processes, and on an ad-hoc basis when requested by University departments. If you would like support from OIS on assessing risk, you can contact us through firstname.lastname@example.org.
Risk Mitigation Strategy:
OIS offers risk mitigation consulting for University network, cloud, and computing assets. OIS has developed a comprehensive set of Minimum Security Guidelines that provide a baseline for managing risk on our network based on the classification of data stored or processed on the asset. For additional information please see the Data Classification policy.
OIS performs continuous monitoring through a variety of tools, processes, and third-party security audits. Identified risks will be tracked by OIS and must be remediated in a timely manner. In the event that a risk cannot be remediated in a timely manner, additional steps should be taken to mitigate the risk as much as possible.