Information security risk assessments are vital for maintaining the security of information resources and meeting legal requirements for protecting confidential information. The goal of these procedures is to assist information resource owners in managing the risks involved with university data information resources, and with meeting Federal, State and University requirements.


  • This Control applies to all information security risk assessments that are conducted annually for university information resources.

  • The intended audience includes all University personnel involved in performing, assisting with, approving, or making risk management decisions related to information security risk assessments


  • 1

    An information security risk assessment shall be performed and documented for all university information resources.

  • 2

    The Office of the CISO shall review the Information Security Risk Assessment Procedures (ISRAP) annually to ensure the effectiveness and efficiency of the risk assessment process.

  • 3

    Annual risk assessments shall consider risks to supply chains associated with university information resources.