PURPOSE
Pacific University has adopted this Risk Analysis and Management Policy and Procedure to ensure the confidentiality, integrity, and availability of all Protected Data we create, receive, maintain, or transmit as required by federal or state regulatory requirements, including but not limited to FERPA, GLBA, HIPAA, PCI, and other regional or local applicable laws and regulations.
University colleges, schools, and departments should follow these procedures to comply with the Information System Activity Review and Audit Policy, Policy Number POL-UIS4514.
PROCEDURE
Risk Analysis
- Risk analyses and assessment work shall be conducted periodically under the direction of the University Chief Information Security Officer.
The risk analysis process should include the following elements:
- Identify the scope of the analysis.
- Gather data; inventory systems including hardware, software, input and output sources, and identification of Protected Data.
- Identify and document potential threats and vulnerabilities.
- Assess current security measures.
- Determine the likelihood of threat occurrence.
- Determine the potential impact of threat occurrence.
- Determine the level of risk.
- Identify security measures and finalize documentation.
- The results of risk analyses and assessments shall become an integral part of management’s decision-making process and shall guide decisions related to the access and use of Protected Data.
Risk Management
- The University Director of Legal Affairs will coordinate the development of a risk management plan in coordination with all parties deemed necessary to create the plan such as key workforce members, senior management, and legal counsel.
- The risk management plan will address risks, security measures selected to reduce the risks, and implementation priorities such as required resources, assigned responsibilities, start and completion dates, and maintenance requirements.
- The risk management plan process shall be under the direct control and supervision of the Chief Information Security Officer, and shall involve the Legal Affairs Department, University Information Services, university leadership, and any other parties or persons deemed to be appropriate to the process.
- Risk management plans and processes will be updated as new technologies are implemented and business operations change.
- All security measures will be implemented, evaluated periodically, and maintained.