Policy 105 Information Security Risk Management
- Purpose
- Applicability and Audience
- Information Security Roles and Responsibilities (100.01)
- Policy
- Policy Compliance
- Related Standards and Guidelines
- References
- Policy Review
Purpose
The Information Security Risk Management Policy describes how the Office of Information Security (OIS) helps manage technical and process risks to the Confidentiality, Integrity, and Availability (CIA) of information resources at Washington University in St. Louis (WashU).
Applicability and Audience
This policy applies to all information resources that are owned, leased, vended, contracted, or operated by the university, including hardware, software, systems, and data.
All members of the WashU Community should be aware of this policy, including faculty, staff, students, and any agent engaged for contracted services to the university with access to WashU information, systems, and networks. This includes, but is not limited to partners, affiliates, contractors, temporary employees, trainees, guests, and volunteers.
Information Security Roles and Responsibilities (100.01)
Policy
105.00 Introduction
The WashU Community depends on the security of information resources to fulfill the university missions of teaching, research, and patient care. These information resources and the functions they support face various risks that arise from WashU’s position in critical healthcare, research, and education infrastructure, as both a producer and consumer in the cyber supply chain, and from our relationships with third-party partners and suppliers.
Risk is determined qualitatively by assessing the probability of events and the possible impacts or harms to the university from those events. Events are sometimes defined as occurring when a threat exploits a vulnerability (i.e., a flaw or weakness) in a university process, system, or application. Security events are damaging to the university and can lead to unfulfilled regulatory or contractual obligations.
The goals of the WashU risk-management program are to protect information resources and maintain compliance with laws and regulations by identifying, documenting, prioritizing, and responding to risks. The risk management program is based on frameworks such as the United States National Institute of Standards and Technology (NIST) Cyber Security Framework (CSF) and standards such as NIST SP 800-53, security regulations for Protected Information (e.g., HIPAA, PCI-DSS, FERPA, etc.), and feedback from organizational stakeholders.
105.01 Risk Management Roles and Responsibilities
Comprehensive risk management is the responsibility of all members of the WashU Community. The OIS will engage stakeholders, departments, and schools to foster a security culture, raising awareness about risks and integrating risk-management strategies in university events, projects, processes, and planning.
The table below includes information about specific roles with risk management responsibilities.
Roles | Responsibilities |
---|---|
Board of Trustees Audit Risk and Compliance Committee, and Cybersecurity Subcommittee | Receives annual overview of top priorities for Enterprise Risk Management (ERM)s. |
Executive Leadership, Cyber Security Executive Advisory Committee | Approves capital expenditures for Information Security. Communication path to Deans and senior faculty. |
Chief Information Officer (CIO) | Sponsors the OIS to ensure the information security risk process is followed for university activities, processes, and projects. |
Chief Information Security Officer (CISO) | Maintains the risk register. Communicates information security risks to Executive Leadership. Reports annually to university leadership on risks that need to be addressed to bring risk to acceptable level. |
Chief Privacy Officer (CPO) | Communicates privacy risks to executive leadership. Oversees information privacy assessments, analysis, mitigation, and remediation. |
Office of Information Security | Responsible for conducting risk assessments, documenting the identified threats and the likelihood of occurrence. Develops policy, procedure, and solutions to mitigate identified risk to an acceptable level. |
Internal Audit | Conducts sample audits to ensure compliance to information security policies and risk mitigation efforts. |
Department, School, and Unit Stakeholders | Implement risk-mitigating controls and ensure they are properly maintained. |
Administrators of Co-Managed Systems | Confer with the OIS to ensure controls are in place and commensurate with the criticality of the system and data. |
WashU Community Members | Act always in a manner which does not place at risk the health and safety of themselves or other persons in the workplace. Act always in a manner that does not place at risk the security of the information and resources of which they have access or use. Report to the OIS any perceived risks that are not being adequately managed. Follow OIS policies and procedures and act in good faith to maintain WashU security and compliance. |
105.02 Information Security Risk Assessments
The OIS conducts risk assessments on all information assets used to store, process, or transmit university data. The goals of the risk assessment are to categorize, prioritize, and report risks and applicable controls according to information and system classification, as described in Policy 100, section 100.04 Data, Information, and System Classification. The assessment is based on the analysis of information and intelligence received from internal and external experts and from information-sharing forums and sources.
The OIS will cooperate with organizational stakeholders to develop a cyber supply chain risk-management process to ensure measures are in place that support the objectives of the WashU information security program. A central activity of this process is the routine assessment of suppliers and third-party partners using questionnaires, audits, tests, and other evaluations to confirm they are meeting contractual obligations.
Risk assessments must be completed prior to procurement of new systems and before the implementation of significant modifications to the system.
Refer to Standard 205: Information Security Risk Management for additional information.
105.03 Risk Response
The university response to risks—mitigate, transfer, accept, or avoid—will be based upon identified risk tolerance levels, informed by WashU’s role in critical infrastructure and in the education and healthcare sectors. System owners, departments, and schools will follow OIS risk response recommendations to reduce risks to acceptable levels.
The OIS will document residual risks (i.e., those that remain after mitigation). Residual risks may only be accepted by personnel with the appropriate level of authority, as determined by the Chief Information Security Officer (CISO), the HIPAA Privacy Officer, and the Chief Privacy Officer (CPO).
105.04 Risk Register
The OIS will consolidate documentation of risks in a central repository across administrative and academic units and risk types. The risk register will aid in the documentation and communication of risks and risk mitigation to the WashU community and to the Board of Trustees Audit, Risk and Compliance Committee in an annual report from the CISO. Refer to Standard 205: Information Security Risk Management for additional details.
105.05 Risk Management Performance
The performance of the risk management program will be evaluated according to the following outcomes:
- The reduction of risks, as reported annually
- The completion and reporting of risk assessments and reviews for all university applications and projects
- Compliance with regulations
- Information Security incidents that are investigated and analyzed for risk and result in the implementation of appropriate controls
Policy Compliance
The Office of Information Security (OIS) will evaluate compliance with this policy using various methods, including reports, internal and external audits, and feedback to the policy owner. If compliance with this policy is not feasible, technically possible, or practical users should request an exception from the OIS. Exceptions to this policy must be approved by the OIS in advance. Non-compliance will be addressed with management, the appropriate Area Specific Compliance Offices, Human Resources, or the Office of Student Conduct.
Internal Audit will independently review and assess compliance with this policy, reporting findings and recommendations to senior management and the Board of Trustees.
Related Standards and Guidelines
Policy 100: Information Security Program
Standard 205: Information Security Risk Management
References
National Institute of Standards and Technology (2018) Cybersecurity Framework
National Institute of Standards and Technology (2020) Special Publication 800-53: Security and Privacy Controls for Information Systems and Organizations, Rev. 5
Policy Review
This policy will be reviewed by the OIS at a minimum of every three years.
Policy Number and Title: 105 Information Security Risk Management
Owner: Office of Information Security
Approved By: Cyber Security Executive Advisory Committee
Original Approval Date: December 6, 2016
Current Version Publication Date: November 27, 2024