Policy area: III- Information Security Policies and Procedures
Title of policy: III-b Risk Management Plan
Approved by: CWRU Chief Information Security Officer
Date Approved: January 31, 2017
Responsible Party: Chief Information Security Officer
History: Version 1.0.
- III-1a Risk Management Procedure and Risk Assessment Methods
- III-1 Information Types and Sensitivity
- Higher Education Information Security Council (HEISC) Risk Management Framework
- A Taxonomy of Operational Cyber Security Risks, James Cebula, Lisa Young, Software Engineering Institute Technical Note CMU/SEI-2014-TN-006
- National Institute of Standards and Technology
I. Policy Statement
This Risk Management Plan describes the strategy for establishing a formal security risk management program at Case Western Reserve University (CWRU). University Technology ([U]Tech) is tasked with maintaining an overall picture of information security risk for all information owned by the University, noting that a majority of information of concern is maintained in IT systems.
II. Purpose of this Plan
In the implementation of a structured risk management program for information security, the following plan describes the essential program elements to ensure the security risk is regularly assessed, and appropriate management elements, including controls and risk acceptance contingencies, are monitored and presented to [U]Tech leadership. Reference (a) outlines the use of Continuous Risk Management methodology at CWRU.
Security Risk: the qualitative or quantitative likelihood of an adverse event occurring that negatively impacts the confidentiality, integrity, or availability of information and information systems.
Risk Index: A listing of the top “N” risks for a particular system or group of systems, prioritized by impact, with action plans or contingencies proposed. The risk index is the final product maintained by a risk management program.
Risk Information: information about security risks, including conditions, consequences, and action plans should always be regarded as Internal Use information at a minimum, and may under some circumstances be considered Restricted information, and shall be communicated and handled with regard to information security requirements.
Risk Assessment: the formal process for identification of security risk.
Risk Management: the the ongoing process of identifying risks and implementing plans to address them.
Threat: Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the Nation through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service.
IV. The Plan
- CWRU shall identify information security risk according to established standards published under Reference 1. Risk criteria and risk decisions are made using information sensitivity standards described in Reference 2.
- Reference 2 defines information sensitivity in terms of confidentiality. In the university environment, the presence or use of Restricted (high confidentiality requirement) information is a major driver of risk action.
- The CWRU Information Security Office will maintain an Enterprise Risk Index, which is an aggregate listing of security risks either identified by an assessment, or observed as a problem from an incident response activity that is anticipated to appear again. The Enterprise Risk Index will be updated on a quarterly basis, or more frequently when needs arise.
- i. The University Information Security Committee shall have a Risk Committee tasked with reviewing enterprise risks and ranking them in order of priority. Systemic or enterprise risks are often used to propose IT infrastructure or campus wide controls.
- ii. The CWRU CISO will report regularly to the VP of University Technology/CIO on pertinent risks and action plan/resource needs.
- iii. The VP of University Technology/CIO is the sole authority for risk acceptance for enterprise level risks.
- The CWRU Information Security Office will propose a two-year risk assessment schedule, to be updated in the First Quarter of each fiscal year. The assessments should be a reasonable mix of:
- i. Evaluation of critical IT infrastructure assets
- ii. Assessment of new IT systems and emerging technologies and workflows
- iii. Business processes involving sensitive (Restricted) information or high-value intellectual property
- iv. Compliance driven system assessments (e.g. for certain research activities or contract-driven security requirements)
- v. Security incident post-mortem follow-up “health check”
- CWRU shall perform assessments using the following resource groups, as resources and schedule demands:
- i. Information Security Office Program Team members to conduct “high touch” or complex internal systems assessments
- ii. University Internal Audit may perform compliance-based risk assessments under the direction of the Chief Financial Officer
- iii. Externally contracted risk assessment vendors, within defined scope
- Each risk assessment shall provide the following deliverables, regardless of assessment group:
- i. A risk index pertinent to the scope of the assessment, using Condition-Consequence terminology as described in Reference (a).
- ii. Where warranted for compliance purposes, a Security Plan, including the risk index as an appendix, with action plans (procedures and controls for the system/workflow users), to address the top risks. The system owner/sponsor should be the signature authority for the Security Plan.
- iii. Assessment teams will use their system knowledge to identify any new risks observed in the given assessment be added to the Enterprise Risk Index.
- Communication of risk shall be performed using adequate controls, considering risk information to be at the Internal Use Only level and above.