Purpose
To provide 6VµçÓ°Íø with guidance in identifying and gaining an understanding of the components of the institution that make up its information security system and thereby enable 6VµçÓ°Íø to manage cybersecurity risk to systems, assets, data, and capabilities.
Policy
Risk assessments take into account threats, vulnerabilities, likelihood, and impact to 6VµçÓ°Íø assets, individuals, and other organizations based upon the use of the 6VµçÓ°Íø system. 6VµçÓ°Íø periodically conducts assessments of risk, which include the likelihood and magnitude of harm from the unauthorized access, use, disclosure, disruption, modification and/or destruction of the 6VµçÓ°Íø system, system components, and the information processed, stored or transmitted by the system. Risk assessment results are documented and reviewed by the 6VµçÓ°Íø Security Official or designee. The risk assessment results are then disseminated to appropriate faculty and staff including, but not limited to, the 6VµçÓ°Íø executive staff. Risk assessments are conducted annually by 6VµçÓ°Íø or whenever there are significant changes to 6VµçÓ°Íø, its system, or other conditions that may impact the security of 6VµçÓ°Íø.
Summary
- Physical (hardware) and software assets will be assessed as to vulnerability and those vulnerabilities will be documented.
- From time to time a vulnerability scan on those assets will be conducted in order to assess vulnerability in either the information system or its hosted applications.
- 6VµçÓ°Íø uses a variety of sources in order to assist in determining asset vulnerabilities.
- These sources can include but are not limited to US-CERT bulletins, InfraGard, the Federal Trade Commission (FTC) and the Research Education Networking Information Sharing and Analysis Center (RENISAC)
- When threats are identified they will be documented as to type of threat, a description of the threat and the characteristics of the threat.
- Threats will be classified in relationship to the potential for adverse impact on the College.
- Once a risk is identified, it will be reduced or mitigated.
- 6VµçÓ°Íø understands that risks exist regardless of efforts and will address risks as they become suspected or evident.
Risk Assessment Policy Details [pdf]