The University of Texas at San Antonio
Office of Information Technology
Office of Information Security (OIS) Standards
OIS 15 – Standard for Information Security Risk Assessment
I. STANDARD STATEMENT
Departments and data owners who manage information resources must sponsor formal risk assessments to identify potential problems that would affect the operation and security of their information assets. Risk assessments are the first step in the process of protecting information resources, and they shape mitigation strategies and plans.
This standard supports HOP Policy 8-12 Information Resources Use and Security Policy
This standard applies to all UTSA faculty, staff, and students.
If you have any questions about OIS 15 Standard for Information Security Risk Assessment contact the following office:
The Office of Information Security
- “appropriate unit level” – For administrative areas, appropriate unit levels would be departments or business units reporting to associate vice presidents (AVP). AVPs and vice presidents will summarize the assessments to provide summary assessments to the Office of Information Security.
- For academic areas, appropriate unit levels would be academic departments and Principal Investigators (PIs) of grants. These may be combined or separate. College deans and the Provost office will summarize the assessments to provide an Executive Summary to the Office of Information Security. “regular basis” – Risk assessments will be performed annually.
- “risk assessment strategy report” – This is the report that that results from the assessment. It should cover the planning and controls for the most critical risks, identification information for each asset, contacts and contact information, vulnerabilities and threats, and actions and resources needed to mitigate or accept risk.
- “staff members who perform the risk assessment” – likely to include Information Security Administrators, Information Technology Associates and other functional managers
- Risk assessments will be performed annually at an appropriate unit level, summarized and provided to upper organization levels.
- The Risk Assessment must include, at minimum:
- Perform an application or server risk assessment by logging in at the mysecurity page
- An inventory of software, hardware and secured facilities under their responsibility
- Classification of digital data based on sensitivity and risk
- Methods being used to protect data from loss (i.e. backup schedule)
- Implementation status of approved mitigation strategies that adhere to information security policies and procedures for managing risk levels for information resources.. Implementation status of approved mitigation strategies that adhere to information security policies and procedures for managing risk levels for information resources.
- Identification of controls in place to ensure the confidentiality, integrity and availability of data and other assigned information resources.. Identification of controls in place to ensure the confidentiality, integrity and availability of data and other assigned information resources.
- Copies of (or reference to) related scores on InSight metrics
- Action plans to address control weaknesses, non-compliance with InSight metrics and to mitigate unacceptable risks.
- Data Owner will review and update the Risk Assessment at least annually; ISAs will provide assistance as needed.
- Copies of annual Risk Assessments/updates and executive summaries will be provided to the Office of Information Security.
- The strategy report that results from the assessment will be submitted to the Information Security Officer (ISO) on an annual basis.
Effective Date: January 1, 2014 Last Revised: April 25, 2014