Information Security Risk Management Risk Monitoring Process
Number: 8020.0 Revised: August 15, 2010
All campus employees are responsible for reporting any information security risk or non-compliance issues that comes to their attention to the Information Security Office. In cases where an employee is not directly responsible for the system or process involved they should also alert the responsible manager.
When a risk or non-compliance is identified and there is insufficient or conflicting information regarding its likelihood of occurrence or potential impact, the Information Security Office will initiate and complete a Risk Monitoring plan. The steps used to develop such a plan are:
Step 1: Risk Identification – Employee or manager who identified the risk or non-compliance calls the Information Security Office at 278-1999 to discuss the potential risk and agree on the need for either risk monitoring or immediate mitigation. If immediate risk mitigation is required, proceed to the Risk Monitoring section of this process; otherwise go to Step 2 below.
Step 2: Define Risk Monitoring Activities – The Information Security Office defines the risk or non-compliance and documents a plan with activities, resources and timeline. The plan will be submitted to the Vice President and Chief Information Officer in a timely manner. (Download Template)
Step 3: Manage Investigation and Monitoring Activities – Manager, employee(s) and Information Security Office implement investigation and monitor plan.
Step 4: Submit Finding and Notify or Request as Appropriate – Information Security Office submits results to the Vice President and Chief Information Officer the findings of the investigation and risk monitoring. The findings will be summarized in one of the following four categories:
Notification of compliance
Notification of risk transference plan
Request for risk mitigation
Request for risk acceptance
If it is determined that the process or issue is in compliance with campus risk processes, or it is found the risk was misidentified, the process is complete and compliance will be indicated in the final report.
If the risk does exist, the monitoring report from the Information Security Office will identify either a risk transference plan, a risk mitigation request, or a risk acceptance request. Risk transference must be approved in writing by the Information Security Officer.
Back to to Sacramento State Information Security Policy Website