Original Issuance Date: October 15, 2020
Last Revision Date: March 2, 2022
1. Purpose of Procedures
This Information Security Risk Management (ISRM) procedure establishes the process for the management of information security risks faced by the institutions of the University of Wisconsin (UW) System. This procedure is based on the three-tier risk management approach defined by NIST SP800-37 Risk Management Framework for Information Systems and Organizations: A system Life Cycle Approach for Security and Privacy; NIST Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organization; and the NIST Cybersecurity Framework (CSF). The procedure has been designed in a manner to balance statutory, regulatory, and contractual security requirements against the culture of openness and decentralized nature of the university system in a reasonable and productive manner. This approach integrates the information security concerns into both the UW business and technical environments and ensures continual alignment of risk strategy with the UW mission. The approach encourages communication and cooperation among the UW System stakeholders and drives a continuous improvement of the UW’s risk-related activities.
2. Responsible UW System Officer
Associate Vice President (AVP) for Information Security
Please see SYS 1000, Information Security: General Terms and Definitions, for a list of general terms and definitions. Terms and definitions found within this procedure include:
- Compensating Control
- Data Steward
- Residual Risk
- Risk Acceptance
- Risk Assessment
- Risk Executive
- Risk Management
- Risk Mitigation
- Risk Treatment
- Vulnerability Assessment
ISRM allows UW System institutions to proactively assess, mitigate, and manage information security risk throughout the UW System enterprise and allows UW System to meet it’s regulatory, statutory and contractual information security requirements. This procedure establishes the methodology to prioritize information security risks.
i. Recording of Risk
Information security risks must be captured in the UW System Risk Register for management and tracking purposes. Security risks are identified by many sources including, but not limited to organizational and system risk assessments, vulnerability scanning, security incident and event monitoring (SIEM), vendor notifications, 3rd-party independent security assessments, and audits. Access to the UW System Risk Register will be provided to all campuses.
Information to be captured in the Risk Register includes:
- Date risk identified
- Description of the risk
- System(s) impacted
- Source reporting the risk
- Relevant UW institution(s)
- Risk executive
- Risk score: (see Appendix A for details)
- Likelihood of occurrence (1-5)
- Impact to mission (1-5)
- Overall risk (1-25)
|Risk ranking is determined by multiplying the likelihood of occurrence by the impact to mission|
- Risk treatment (accept, avoid, transfer, or mitigate)
- Response details (how the risk will be addressed)
- Risk treatment estimated completion date
Institutions must report risk and related information (see list above) to the UW System Office of Information Security (OIS) for entry into the UW System Risk Register on a semi-annual basis (by April 1 and October 1, annually).
Risk is attributed to assets based on the analysis of multiple factors which influence the Confidentiality, Integrity and/or Availability (CIA) of the asset. Factors include:
- Threats posed to that asset;
- The vulnerabilities that expose the asset;
- The impact to any of the UW System mission, values or guiding principles; and
- The likelihood that the confidentiality, integrity and/or availability of the asset will be compromised through a given vulnerability by a threat actor.
ii. Risk Assignment
The Risk Executive is typically the designated owner of the system, data, and/or resources that could be negatively impacted if a risk is exploited. The Risk Executive determines the appropriate response (e.g. accept, avoid, transfer, or mitigate) to the risk, based upon the risk’s placement in the risk scoring matrix, with those risks scoring Critical being prioritized. The Risk Executive is typically assigned by the Dean, Department Chair or other senior level university official.
A single Risk Executive cannot determine the treatment for a risk that can impact resources shared within the UW System enterprise. In those situations where a risk has the potential to impact resources under the care of more than one Risk Executive, the UW System Office of Information Security is responsible for coordinating the risk treatment strategy with all impacted Risk Executives.
iii. Risk Treatment
The Risk Executive oversees the completion of the risk treatment. The Risk Executive provides updates of the risk treatment status as part of the semi-annual report required from each UW institution. These updates are done through the UW System Risk Register.
iv. Risk Treatment Validation
The Risk Executive notifies the UW System Office of Information Security when the risk treatment activity has been completed. The UW System Office of Information Security reviews the work completed, validates that issue has been addressed and that the residual risk is aligned with the institution’s risk acceptance, as described in UW System Administrative Procedure 1039.B, Information Security Notification of Risk Acceptance.
Treatment completions are regularly reported to the UW System Risk and Compliance Council, which as part of the Enterprise Risk Management Program, periodically reports risk and compliance measures to the UW System Board of Regents.
5. Related Documents
Regent Policy Document 25-5, Information Security
UW System Information Security Program
UW System Administrative Policy 1000, Information Security: General Terms and Definitions
UW System Administrative Policy 1039, Information Security: Risk Management
UW System Administrative Procedure 1039.B, Information Security: Notification of Risk Acceptance
National Institute of Standards and Technology (NIST) Special Publication 800.53
National Institute of Standards and Technology (NIST) Special Publication 800.37
Revision 2: March 8, 2022
Revision 1: March 25, 2021
First approved: October 15, 2020