The university has a Risk Assessment policy which includes the process of identifying, evaluating, and documenting the level of impact that may result from the operation of an information resource on the university's mission, functions, image, reputation, assets, or individuals.

Data classification provides a framework for managing data assets based on value and associated risks. It also guides the application of the appropriate levels of protection as required by state and federal law as well as proprietary, ethical, operational, and privacy considerations. All electronic data should be classified.

Information security risk assessments are vital for maintaining the security of information resources and meeting legal requirements for protecting confidential information. The goal of these procedures is to assist information resource owners in managing the risks involved with university data information resources, and with meeting Federal, State and University requirements.

This Control addresses how the university scans for security vulnerabilities in information resources to prevent inappropriate or unauthorized access to information systems.

This Control addresses the responsibility to properly respond to findings from risk assessments.