Skip to Content

Information Security Office

Risk Management

Risk assessments are part of an ongoing risk management process. Risk assessments provide the basis for prioritization and selection of remediation activities and can be used to monitor the effectiveness of campus controls.

Sacramento State will conduct an annual campus-wide risk assessment coordinated by the Information Security Office. Results from the assessment will be provided to the Vice Presidents. A campus-wide report will be prepared for the Vice President and Chief Information Officer to present to the President. The President will certify the risk assessment, mitigation strategies and all documented risk acceptance.

These procedures will be used by the campus management team during the initial discovery of information security risks and non-compliance with the Information Security Policy and Standards. This process helps define outstanding risks and the strategy used to address that risk. Risk and non-compliance will be addressed by meeting all Policy and Standards, mitigated with approval by the Vice President and Chief Information Officer or accepted by the Vice President and Chief Information Officer and President.

The Information Security Office manages the Information Security Risk Assessment process on campus through the use of the Truarx risk assessment tool. This tool is used to inventory all servers, network gear, data centers, systems, and physical locations of level 1 and level 2 data. Additionally it provides your waited score based on compensating controls in place to provide a baseline risk to campus. Maintaining a current inventory of these critical assets is important to ensure the appropriate controls are implemented and managed. All technical staff are required to update the Information Security Office of any addition, changes or removal of this assets.

Asset Registration

If you have assets that store or use level 1 or level 2 data, please fill out the asset registration form here:

Risk Managment Tool

Truarx risk manamgment system

Risk Managment Procedures

Risk Monitoring

Risk Mitigation

Risk Acceptance

Data Authorization