Skip to Content

Information Security Office

Risk Discovery

All campus employees are responsible to report any risk or non-compliance issues in systems and process that they directly oversee and/or are the System Owner.  In cases where an employee is not directly responsible for the system or process they must alert the responsible manager.  If they cannot identify the responsible manager they must alert the Information Security Office.  The Information Security Office will help identify and alert the responsible System Owner.

Sometimes, when a risk or non-compliance is identified, there may be insufficient or conflicting information regarding its likelihood of occurrence or potential impact. System Owners must initiate and complete a Risk Monitoring plan.

Risk Monitoring Process

Step 1: Risk Monitoring Communication

  1. Start an email with the Risk Monitoring Template.

  2. In the To field enter the Chief Information Officer and Vice President.

  3. In the CC field enter the Information Security Office.

  4. In the subject line enter "Risk Monitoring Initiation - <system/process name>". Replacing the <> section with the impacted system/process name. The name should make it clear what application or server the issue resides on or the business process.

  5. In the body paste the Information Security Risk Monitoring Template text - Down load text here

  6. In the Title field enter a brief description to refer to this project.

  7. In the Policy/Standard out of compliance field you can cut and paste the policy/standard section that is out of compliance or you can enter an abbreviated statement or section title.

  8. In the System/Process out of compliance field enter all systems, servers, processes and user groups that must be considered as part of the investigation and monitoring.

  9. In the Identified risks/control issues/concerns field enter a brief statement about the risk, issue or concerns.

  10. In the Compensating/Additional Controls field enter any existing controls that you are aware of that would lessen the campus risk to the risk, issue or concerns indicated above.

  11. In the Investigation and Monitoring Plan section identify what tasks must take place to assess the risk and make are recommendation to transfer, mitigate or accept the risk.

    1. Activity - Enter a brief task statement to identify key events that must take place to assess the risk.

    2. Resources - Enter the primary employee name that is responsible for completing the activity. You can list additional employees but only one should be responsible to monitor the process and manage the task.

    3. Due Date - Enter the data the activity will be completed.

  12. Identify a MPP to contact for additional information. This MPP will be responsible to manage the Activities outlined above.

  13. Send the email

Step 2: Manage Investigation and Monitoring Activities

Step 3: Submit Finding and Notify or Request as Appropriate

A final communication must be sent to the Vice President and Chief Information Officer and Information Security Office with the finding of the Investigation and Risk Monitoring.  The finding should be summarized in one of the following four categories:

  • Notification of compliance
  • Notification of risk transference plan
  • Request risk mitigation
  • Request risk acceptance

If you determine that you are in compliance, or based on monitoring data it is reasonable the risk was miss-identified, then the process is complete.   A summary of data findings should be included in the notification.  An email communication is acceptable in most cases.

If the risk does exist but the Program Center can transfer it within 6 weeks to a 3rd Party or to the central IRT services then provide the plan with timeline and resources.  The Vice President and Chief Information Officer may call a meeting depending on the complexity and risk.

A copy of the email will also be scanned and uploaded into the Sacramento State Risk Management System for future reference.

If the risk or non-compliance can be appropriately mitigated or if the value to campus and limitation to address the risk warrant, the risk may be accepted.  Refer to those processes below.