Information Security Risk Management Risk Mitigation Process
Number: 8020.0 Revised: August 15, 2010
When an information security risk is identified and mitigation is required, the following process shall be used:
Step 1: Define the Request – The appropriate manager responsible for supervision of the area experiencing the risk meets with the Information Security Office to complete a plan for mitigation of the identified risk. The plan must establish a list of risk factors that must be mitigated, including a firm written schedule for completion of all such mitigation. (Download Template)
Step 2: Submit Plan – The mitigation plan is forwarded to the appropriate senior manager (i.e. Vice President, dean, or Executive Director) for signature, as acceptance of responsibility for the mitigation. The signed form will be placed on file in the Information Security Office, with a copy provided to the Vice President & Chief Information Officer. A copy will also be scanned and uploaded into the Sacramento State Risk Management System.
Step 3: Mitigation Plan Implemented and Evaluated
The Information Security Office supervises completion of the risk mitigation plan to ensure timely and accurate completion. The Information Security Office will audit the risk to confirm compensating controls are in place and reassess the security posture of the system. Delays in completion of risk mitigation shall be reported to both the Vice President & Chief Information Officer and the Assistant Vice President for Risk Management. All mitigation plans will be reviewed annually to assess completion, as part of the annual campus-wide risk assessment process.
Back to to Sacramento State Information Security Policy Website