This Control applies to all information security risk assessments that are conducted annually for university information resources.

The intended audience includes all University personnel involved in performing, assisting with, approving, or making risk management decisions related to information security risk assessments

1. After completion of the annual Information Security Risk Assessment, all assessment reports will be reviewed by the Division of IT Risk Management and Policy personnel (i.e., the “primary review”). Based on the primary review, some assessments will be selected for additional review (i.e., a “secondary review”). The selection of assessments for secondary review and the order of these reviews will be predicated on areas of inherent risk (e.g., confidential information, mission critical systems, and/or problematic conditions) or at the direction of the Vice President for Information Technology & Chief Information Officer (or designee).

2. The specific process followed for each review will be designed with effectiveness and efficiency as primary goals. Where beneficial and feasible, these reviews may utilize automated software tools to provide confirmation and/or information regarding the configuration and classification (e.g., contains confidential data) of the information resources.

3. The review process shall include where appropriate: notification, information gathering, analysis, and reporting.

4. During the review, the Division of IT Risk Management and Policy personnel will answer any questions units have regarding the risk assessment process with the goal of promoting a better understanding and effective use of the Information Security Risk Assessment Procedures.

Suggestions regarding clarification and improvement of the risk assessment tools and process will be sought from unit personnel.

5. Detailed guidelines can be found at the ISRAP website.

(This control replaces the previous SAP 29.01.03.M1.26 Information Resources – Security Risks Assessment Reviews)