Information Security: Risk Management Procedure

Original Issuance Date: October 15, 2020

Last Revision Date: March 2, 2022

1. Purpose of Procedures

This Information Security Risk Management (ISRM) procedure establishes the process for the management of information security risks faced by the institutions of the University of Wisconsin (UW) System. This procedure is based on the three-tier risk management approach defined by NIST SP800-37 Risk Management Framework for Information Systems and Organizations: A system Life Cycle Approach for Security and Privacy; NIST Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organization; and the NIST Cybersecurity Framework (CSF). The procedure has been designed in a manner to balance statutory, regulatory, and contractual security requirements against the culture of openness and decentralized nature of the university system in a reasonable and productive manner. This approach integrates the information security concerns into both the UW business and technical environments and ensures continual alignment of risk strategy with the UW mission. The approach encourages communication and cooperation among the UW System stakeholders and drives a continuous improvement of the UW’s risk-related activities.

2. Responsible UW System Officer

Associate Vice President (AVP) for Information Security

3. Definitions

Please see SYS 1000, Information Security: General Terms and Definitions, for a list of general terms and definitions. Terms and definitions found within this procedure include:

Compensating Control
Control
Data Steward
Residual Risk
Risk Acceptance
Risk Assessment
Risk Executive
Risk Management
Risk Mitigation
Risk Treatment
Threat
Safeguard
Vulnerability
Vulnerability Assessment

4. Procedures

ISRM allows UW System institutions to proactively assess, mitigate, and manage information security risk throughout the UW System enterprise and allows UW System to meet it’s regulatory, statutory and contractual information security requirements. This procedure establishes the methodology to prioritize information security risks.

A. Standards

i. Recording of Risk

Information security risks must be captured in the UW System Risk Register for management and tracking purposes. Security risks are identified by many sources including, but not limited to organizational and system risk assessments, vulnerability scanning, security incident and event monitoring (SIEM), vendor notifications, 3^rd-party independent security assessments, and audits. Access to the UW System Risk Register will be provided to all campuses.

Information to be captured in the Risk Register includes:

Date risk identified
Description of the risk
System(s) impacted
Source reporting the risk
Relevant UW institution(s)
Risk executive
Risk score: (see Appendix A for details)
- Likelihood of occurrence (1-5)
- Impact to mission (1-5)
- Overall risk (1-25)

Risk ranking is determined by multiplying the likelihood of occurrence by the impact to mission

Risk treatment (accept, avoid, transfer, or mitigate)
Response details (how the risk will be addressed)
Risk treatment estimated completion date

Institutions must report risk and related information (see list above) to the UW System Office of Information Security (OIS) for entry into the UW System Risk Register on a semi-annual basis (by April 1 and October 1, annually).

Risk is attributed to assets based on the analysis of multiple factors which influence the Confidentiality, Integrity and/or Availability (CIA) of the asset. Factors include:

Threats posed to that asset;
The vulnerabilities that expose the asset;
The impact to any of the UW System mission, values or guiding principles; and
The likelihood that the confidentiality, integrity and/or availability of the asset will be compromised through a given vulnerability by a threat actor.

ii. Risk Assignment

The Risk Executive is typically the designated owner of the system, data, and/or resources that could be negatively impacted if a risk is exploited. The Risk Executive determines the appropriate response (e.g. accept, avoid, transfer, or mitigate) to the risk, based upon the risk’s placement in the risk scoring matrix, with those risks scoring Critical being prioritized. The Risk Executive is typically assigned by the Dean, Department Chair or other senior level university official.

A single Risk Executive cannot determine the treatment for a risk that can impact resources shared within the UW System enterprise. In those situations where a risk has the potential to impact resources under the care of more than one Risk Executive, the UW System Office of Information Security is responsible for coordinating the risk treatment strategy with all impacted Risk Executives.

iii. Risk Treatment

The Risk Executive oversees the completion of the risk treatment. The Risk Executive provides updates of the risk treatment status as part of the semi-annual report required from each UW institution. These updates are done through the UW System Risk Register.

iv. Risk Treatment Validation

The Risk Executive notifies the UW System Office of Information Security when the risk treatment activity has been completed. The UW System Office of Information Security reviews the work completed, validates that issue has been addressed and that the residual risk is aligned with the institution’s risk acceptance, as described in UW System Administrative Procedure 1039.B, Information Security Notification of Risk Acceptance.

Treatment completions are regularly reported to the UW System Risk and Compliance Council, which as part of the Enterprise Risk Management Program, periodically reports risk and compliance measures to the UW System Board of Regents.