Information Security Risk Management Supplemental Policy
Number: 8020.0 Revised: August 15, 2010
The Information Security Officer is required to conduct a comprehensive campus-wide information security risk assessment on at least an annual basis. A report on the results of such risk assessments will be presented to the Vice President and Chief Information Officer and reviewed with the President no later than December 1st of each year. This report must include a description of the risk assessment methodology, the results of the risk assessment, a specific assessment of segregation of duties issues, a listing of any approved policy exceptions, and recommended mitigation strategies for addressing each identified risk. The President will certify the results of the annual risk assessment, as well as all required mitigation strategies and risk acceptance contained in that report. A copy of the final report will be provided to the CSU Chancellor’s Office and a summary will be distributed on campus.
8020.300 Risk Mitigation
Sacramento State will adhere to the attached Information Security Risk Acceptance and Exception Process for documenting and tracking all decisions related to risk mitigation. The Vice President and Chief Information Officer, in consultation with the President, must approve all risk mitigation strategies and exceptions to the risk management process in writing.
8020.500 Risk Acceptance
The Sacramento State Risk Acceptance and Exception Process must be followed before any information security risk may be accepted by the campus, or before any exceptions to these policies may be made. The Vice President and Chief Information Officer, in consultation with the President, must review and approve all such assumed risk. Any such accepted risk will be documented annually as part of the Annual Risk Assessment procedures noted in section 8020.200.
8020.600 Risk Monitoring
When a potential information security risk is identified or reported, but there is insufficient or conflicting information regarding the likelihood of significant risk at the time of the report, the Information Security Officer will develop a plan to assess the risk using the Risk Monitoring section of the Risk Acceptance and Exception Process. The result of this process will comprise a thorough monitoring and investigation of the potential for information security risk and a plan to mitigate any identified risk. When permitted by law and regulation, this assessment will be completed in cooperation with those who operate the at-risk computer/network system(s). The results of any such risk monitoring and review will be submitted to the Vice President and Chief Information Officer in a timely manner and shall include a) a review of the level of risk confirmed; b) a review of the confidentiality of data at risk; and c) a recommendation for timely mitigation of any serious risk.
Back to to Sacramento State Information Security Policy Website