The university has a Risk Assessment policy which includes the process of identifying, evaluating, and documenting the level of impact that may result from the operation of an information resource on the university's mission, functions, image, reputation, assets, or individuals.


  • This control applies to the university Chief Information Security Officer (CISO).


  • 1

    The university CISO, in coordination with Information Resource owners, shall develop, document, and disseminate to units a set of controls that addresses the Risk Assessment of information resources. These controls should include purpose, scope, roles, responsibilities, management commitment, coordination among university entities, and compliance

  • 2

    The CISO shall review and update the Risk Assessment controls as necessary.