105 Information Security Risk Management
The following table shows who is responsible for ensuring compliance with the policy requirements listed below.
| Requirement | All Users | OIS | System Custodians/ Administrators | Departments, Schools, and Units |
|---|---|---|---|---|
| Conduct risk assessments on all assets that store, process, or transmit university data (p. 3). | ✔ | |||
| Engage in risk assessment process prior to procurement of systems or implementation of signification modifications (p. 3) | ✔ | ✔ | ✔ | ✔ |
| Follow OIS risk response recommendations to reduce risk to acceptable levels (p. 4) | ✔ | ✔ | ✔ | |
| Document residual risks (p. 4). | ✔ | |||
| Consolidate risk documentation in a central repository (p. 4). | ✔ |
Summary of Policy
The policy describes how the OIS manages technical and process risks to the Confidentiality, Integrity, and Availability (CIA) of WashU information resources. The policy includes information about:
- Risk management roles and responsibilities
- Information security risk assessments
- Risk response
- Documentation of residual risk
- The risk register, a central repository of risk documentation
- Measuring and reporting risk management performance
Full Text of Policy
Policy 105 Information Security Risk Management
The policy describes how the OIS manages technical and process risks to the Confidentiality, Integrity, and Availability (CIA) of WashU information resources.
Related Information
100 Information Security Program
This policy is the foundation of the policy library and provides a rationale for the directives communicated in all other information security policies.
205 Information Security Risk Management
DRAFT This standard supports Policy 105: Information Security Risk Management by providing a detailed framework for identifying, assessing, mitigating, and managing security risks to the university.