The university identifies, accepts, mitigates, and responds to risks identified in the annual risk assessments with actionable plans and decisions.


  • The intended audience includes information resource owners and custodians.


  • For all weaknesses and deficiencies noted during the annual risk assessment of security controls, the information resource owner, or designee, shall develop a plan of action and milestones to document the unit’s planned remedial actions to reduce or eliminate known vulnerabilities to the information resource.