Introduction and Scope Risk Acceptance Process
Number: 8000.0 Revised: August 15, 2010
Program centers may not self-assess or accept information security risk, as campus information security risk can only be accepted by the Vice President and Chief Information Officer, in consultation with the President. Therefore, all identified risk must be immediately reported to the Office of Information Security for assessment and review through appropriate channels.
Step 1: Report the Risk – The person identifying the risk shall immediately report the risk potential to their senior manager. The manager shall immediately report the presence of the potential or known risk to the Information Security Office. Program centers may request that they be permitted to assume lower level risk or that they be permitted to institute compensating controls. (Download Template)
Step 2: Assess the Risk – The Information Security Office will analyze the risk and present an assessment and recommended response to the Vice President and Chief Information Officer. If the Information Security Office believes that the risk can be managed locally or that local compensating controls can adequately respond to the risk, a written Local Risk Acceptance plan will be completed, signed by the program center’s senior manager, and forwarded to the Vice President and Chief Information Officer.
Step 3: Acceptance or Compensation of Risk – The Vice President and Chief Information Officer, in consultation with the President, will review the recommendations of the Information Security Office and either accept, reject, or modify the recommended risk acceptance. The Vice President will also review and accept, reject or modify local risk acceptance requests.
Step 4: Implementation – The Information Security Office will ensure that the recommended actions take place that ensure either documentation of risk acceptance, completion of compensating controls, or local management of the risk accepted.
Back to to Sacramento State Information Security Policy Website