Skip to Content

Information Security Office

Risk Managment Overview

Risk assessments are part of an ongoing risk management process. Risk assessments provide the basis for prioritization and selection of remediation activities and can be used to monitor the effectiveness of campus controls.

Sacramento State will conduct an annual campus-wide risk assessment coordinated by the Information Security Office.  Results from the assessment will be provided to the Vice Presidents.  A campus-wide report will be prepared for the Vice President and Chief Information Officer to present to the President.  The President will certify the risk assessment, mitigation strategies and all documented risk acceptance.

These procedures will be used by the campus management team during the initial discovery of information security risks and non-compliance with the Information Security Policy and Standards.  This process helps define outstanding risks and the strategy used to address that risk.   Risk and non-compliance will be addressed by meeting all Policy and Standards, mitigated with approval by the Vice President and Chief Information Officer or accepted by the Vice President and Chief Information Officer and President.

Risk Discovery

All campus employees are responsible to report any risk or non-compliance issues in systems and process that they directly oversee and/or are the System Owner.  In cases where an employee is not directly responsible for the system or process they must alert the responsible manager.  If they cannot identify the responsible manager they must alert the Information Security Office.  The Information Security Office will help identify and alert the responsible System Owner.

Sometimes, when a risk or non-compliance is identified, there may be insufficient or conflicting information regarding its likelihood of occurrence or potential impact. System Owners must initiate and complete a Risk Monitoring plan.

Risk Monitoring Process

Step 1: Risk Monitoring Communication

  1. Start an email with the Risk Monitoring Template.

  2. In the To field enter the Chief Information Officer and Vice President.

  3. In the CC field enter the Information Security Office.

  4. In the subject line enter "Risk Monitoring Initiation - <system/process name>". Replacing the <> section with the impacted system/process name. The name should make it clear what application or server the issue resides on or the business process.

  5. In the body paste the Information Security Risk Monitoring Template text - Down load text here

  6. In the Title field enter a brief description to refer to this project.

  7. In the Policy/Standard out of compliance field you can cut and paste the policy/standard section that is out of compliance or you can enter an abbreviated statement or section title.

  8. In the System/Process out of compliance field enter all systems, servers, processes and user groups that must be considered as part of the investigation and monitoring.

  9. In the Identified risks/control issues/concerns field enter a brief statement about the risk, issue or concerns.

  10. In the Compensating/Additional Controls field enter any existing controls that you are aware of that would lessen the campus risk to the risk, issue or concerns indicated above.

  11. In the Investigation and Monitoring Plan section identify what tasks must take place to assess the risk and make are recommendation to transfer, mitigate or accept the risk.

    1. Activity - Enter a brief task statement to identify key events that must take place to assess the risk.

    2. Resources - Enter the primary employee name that is responsible for completing the activity. You can list additional employees but only one should be responsible to monitor the process and manage the task.

    3. Due Date - Enter the data the activity will be completed.

  12. Identify a MPP to contact for additional information. This MPP will be responsible to manage the Activities outlined above.

  13. Send the email

Step 2: Manage Investigation and Monitoring Activities

Step 3: Submit Finding and Notify or Request as Appropriate

A final communication must be sent to the Vice President and Chief Information Officer and Information Security Office with the finding of the Investigation and Risk Monitoring.  The finding should be summarized in one of the following four categories:

  • Notification of compliance
  • Notification of risk transference plan
  • Request risk mitigation
  • Request risk acceptance

If you determine that you are in compliance, or based on monitoring data it is reasonable the risk was miss-identified, then the process is complete.   A summary of data findings should be included in the notification.  An email communication is acceptable in most cases.

If the risk does exist but the Program Center can transfer it within 6 weeks to a 3rd Party or to the central IRT services then provide the plan with timeline and resources.  The Vice President and Chief Information Officer may call a meeting depending on the complexity and risk.

A copy of the email will also be scanned and uploaded into the Sacramento State Risk Management System for future reference.

If the risk or non-compliance can be appropriately mitigated or if the value to campus and limitation to address the risk warrant, the risk may be accepted.  Refer to those processes below.

Risk Mitigation

The risk mitigation process must be followed when a system or process is required to meet Sacramento State's core mission and campus academic and administrative goals, however, the risk or non-compliance still exists.  The risk or non-compliance can be accepted if the Vice President and Chief Information Officer believed the campus risk is reasonably compensated to meet the intent of the Information Security Policy and Standards.

Risk Mitigation Process

A Dean, Vice President or Executive Director must complete the Risk Mitigation request form.  The fields match the Risk Monitoring template and can be copied from that process.  If copied, update the field with the final text.  Print, sign and send to the Information Security Office.  The Information Security Office will review the form and request clarification or updates if needed.  Once completed the Information Security Office will sign and present to the Vice President and Chief Information Officer.  Due to the complex nature of these requests The Vice President and Chief Information Officer may call a meeting before approving or denying the request.

A copy of the completed request will be sent to the Dean, Vice President or Executive Director.  A copy will also be scanned and uploaded into the Sacramento State Risk Management System.  These requests will be reviewed annually as part of the standard campus-wide risk assessment process.  This will also be an audit to confirm compensating controls are in place and reassess the security posture of the system.  If the request is not approved it will also be uploaded into the Sacramento State Risk Management system for reference.

Download the Risk Mitigation form here

Risk Acceptance

The risk acceptance process must be followed when a system or process is required to meet Sacramento State's core mission and campus academic and administrative goals, however, the risk or non-compliance still exists without compensating controls.  The risk or non-compliance can be accepted if the Vice President and Chief Information Officer believed the campus system value is greater than the risk and cost to implement additional controls. 

Risk Acceptance Process

A Dean, Vice President or Executive Director must complete the Risk Mitigation request form.  The fields match the Risk Monitoring template and can be copied from that process.  If copied, update the field with the final text.  Print, sign and send to the Information Security Office.  The Information Security Office will review the form and request clarification or updates if needed.  Once completed the Information Security Office will sign and present to the Vice President and Chief Information Officer.  Due to the complex nature of these requests The Vice President and Chief Information Officer may call a meeting before approving or denying the request.  The completed request will also be presented to the President to approve or deny the request.

A copy of the completed request will be sent to the Dean, Vice President or Executive Director.  A copy will also be scanned and uploaded into the Sacramento State Risk Management System.  These requests will be reviewed annually as part of the standard campus-wide risk assessment process.  This will also be an audit to confirm compensating controls are in place and reassess the security posture of the system.  If the request is not approved it will also be uploaded into the Sacramento State Risk Management system for reference.

Download the Risk Acceptance form here