Risk Acceptance

The risk acceptance process must be followed when a system or process is required to meet Sacramento State's core mission and campus academic and administrative goals, however, the risk or non-compliance still exists without compensating controls.  The risk or non-compliance can be accepted if the Vice President and Chief Information Officer believed the campus system value is greater than the risk and cost to implement additional controls. 

Risk Acceptance Process

A Dean, Vice President or Executive Director must complete the Risk Mitigation request form.  The fields match the Risk Monitoring template and can be copied from that process.  If copied, update the field with the final text.  Print, sign and send to the Information Security Office.  The Information Security Office will review the form and request clarification or updates if needed.  Once completed the Information Security Office will sign and present to the Vice President and Chief Information Officer.  Due to the complex nature of these requests The Vice President and Chief Information Officer may call a meeting before approving or denying the request.  The completed request will also be presented to the President to approve or deny the request.

A copy of the completed request will be sent to the Dean, Vice President or Executive Director.  A copy will also be scanned and uploaded into the Sacramento State Risk Management System.  These requests will be reviewed annually as part of the standard campus-wide risk assessment process.  This will also be an audit to confirm compensating controls are in place and reassess the security posture of the system.  If the request is not approved it will also be uploaded into the Sacramento State Risk Management system for reference.

Download the Risk Acceptance form here