快活林性息

Definition

Risk听refers to the possibility of loss to confidentiality, integrity, and availability to 快活林性息 assets. Risk is calculated using two factors:听likelihood听of a vulnerability being taken advantage of, and the听impact听on 快活林性息.听Risk Management听refers to the entire process from identifying and evaluating, to prioritizing, implementing, and monitoring the mitigations.

Department Responsibility

The departments are responsible for notifying Information Security of any major projects and application procurements where 快活林性息听Level 1 and 2 data听is stored, accessed, or processed.

Information Security Responsibility

The Information Security team is responsible for performing risk assessments and providing information on required mitigations in order to comply with the听CSU and 快活林性息 Policies.

When is a Risk Assessment required?

The Information Security team performs three types of risk assessments:

1. Vendor Procurements: A risk assessment is required when a cloud-based vendor or application is being procured, and where access to 快活林性息 Level 1 and 2 data is granted. This includes hiring consulting services and purchases made using Procurement cards (Pcard).
2. Internal Risk Assessment: Information Security performs a risk assessment for the campus departments and colleges. This type of risk assessment focuses on Level 1 and 2 data processes in the department. This is to be performed every 2 years in order to identify gaps between CSU and 快活林性息 Policy, and current department practices.
3. Project and Process: Information Security will perform a risk assessment when a department has undertaken a major project that involves the use of 快活林性息 Level 1 and 2 data. For Example: migration from on-premise to cloud.

Risk Management Process

Notification/Request:听The department must notify Information Security of any procurements and major project undertaking. It is highly recommended that the department notify Information Security when it is in the research phase. Waiting until the last minute can delay the process.

Information Gathering:听The Information Security team will request information from the vendor and/or the department. If procurement, one of the following documents is required from the vendor:

2. SOC 2 Type II audit report
3. Cloud Security Alliance Consensus Assessment Initiative Questionnaire (CSA CAIQ)

Assessment Draft:听Information Security will draft a risk assessment document. The document highlights the risks, and mitigations to reduce that risk to an acceptable level. The department MPP must sign-off on the risk assessment and mitigations.

Assessment Review:听Once the draft is completed, Information Security will share the draft with the appropriate department staff for a review. This is an opportunity for departments to correct any inaccurate information on the risk assessment as well as discuss mitigations and the plan to implement them.

Assessment Sign-Off:听Once both Information Security and the department agree upon the risk assessment draft and the mitigations, the final version will be sent out to the department MPP via Adobe Sign for signatures.

Risk Mitigation:听The appropriate departments, as noted on the risk assessment document, is now responsible for implementing the mitigations. The department may reach out to Information Security requesting clarification or assistance for implementing the mitigations. Information Security will follow up with the department requesting a status on mitigations. Once all mitigations are implemented, the risk assessment is closed.

Risk Exception

In situations where a required mitigation cannot be implemented for a variety of reasons, a risk exception document will be created. This document is similar to a risk assessment document. A risk exception document requires a signature from both the department MPP and Vice President of the division.