¼ªÏé·»

Definition

RiskÌýrefers to the possibility of loss to confidentiality, integrity, and availability to ¼ªÏé·» assets. Risk is calculated using two factors:ÌýlikelihoodÌýof a vulnerability being taken advantage of, and theÌýimpactÌýon ¼ªÏé·».ÌýRisk ManagementÌýrefers to the entire process from identifying and evaluating, to prioritizing, implementing, and monitoring the mitigations.

Department Responsibility

The departments are responsible for notifying Information Security of any major projects and application procurements where ¼ªÏé·»ÌýLevel 1 and 2 dataÌýis stored, accessed, or processed.

Information Security Responsibility

The Information Security team is responsible for performing risk assessments and providing information on required mitigations in order to comply with theÌýCSU and ¼ªÏé·» Policies.

When is a Risk Assessment required?

The Information Security team performs three types of risk assessments:

1. Vendor Procurements: A risk assessment is required when a cloud-based vendor or application is being procured, and where access to ¼ªÏé·» Level 1 and 2 data is granted. This includes hiring consulting services and purchases made using Procurement cards (Pcard).
2. Internal Risk Assessment: Information Security performs a risk assessment for the campus departments and colleges. This type of risk assessment focuses on Level 1 and 2 data processes in the department. This is to be performed every 2 years in order to identify gaps between CSU and ¼ªÏé·» Policy, and current department practices.
3. Project and Process: Information Security will perform a risk assessment when a department has undertaken a major project that involves the use of ¼ªÏé·» Level 1 and 2 data. For Example: migration from on-premise to cloud.

Risk Management Process

Notification/Request:ÌýThe department must notify Information Security of any procurements and major project undertaking. It is highly recommended that the department notify Information Security when it is in the research phase. Waiting until the last minute can delay the process.

Information Gathering:ÌýThe Information Security team will request information from the vendor and/or the department. If procurement, one of the following documents is required from the vendor:

2. SOC 2 Type II audit report
3. Cloud Security Alliance Consensus Assessment Initiative Questionnaire (CSA CAIQ)

Assessment Draft:ÌýInformation Security will draft a risk assessment document. The document highlights the risks, and mitigations to reduce that risk to an acceptable level. The department MPP must sign-off on the risk assessment and mitigations.

Assessment Review:ÌýOnce the draft is completed, Information Security will share the draft with the appropriate department staff for a review. This is an opportunity for departments to correct any inaccurate information on the risk assessment as well as discuss mitigations and the plan to implement them.

Assessment Sign-Off:ÌýOnce both Information Security and the department agree upon the risk assessment draft and the mitigations, the final version will be sent out to the department MPP via Adobe Sign for signatures.

Risk Mitigation:ÌýThe appropriate departments, as noted on the risk assessment document, is now responsible for implementing the mitigations. The department may reach out to Information Security requesting clarification or assistance for implementing the mitigations. Information Security will follow up with the department requesting a status on mitigations. Once all mitigations are implemented, the risk assessment is closed.

Risk Exception

In situations where a required mitigation cannot be implemented for a variety of reasons, a risk exception document will be created. This document is similar to a risk assessment document. A risk exception document requires a signature from both the department MPP and Vice President of the division.