Body
Purpose
Information Technology (IT) risk management refers to the process of identifying risk, assessing risk, and prioritizing the major IT risks associated with the University’s key objectives. Risk management is crucial for the University to maintain situational awareness and remain both secure and compliant. The purpose of this policy is to define the procedures and standards for identifying, assessing, and prioritizing IT risk.
OU IT must establish a process to manage IT risks to the University that result from threats to university data, hardware, software, or third-party technology services.
Supporting Policy
To Be Determined
Scope
This standard applies to Colleges, Departments, or Units managing or operating IT and software, hardware, or third-party technology.
Definitions
Information Technology and Security Definitions
Standard
Risk Assessment
Risk assessment is the process of taking identified risks and analyzing their potential severity of impact and likelihood of occurrence. Risk assessment must be conducted through IT system life cycles:
- All data usage and integration requests must undergo a Privacy Impact Assessment. The Privacy Impact Assessment will evaluate the privacy of data usage requests that includes but is not limited to: lawfulness, accuracy, integrity, confidentiality, and availability.
- New hardware, software, or third-party technology service that collects, stores, transmits, or processes Institutional Data must be registered using the OU IT Security Consultation request form. An IT Security Assessment must be completed before the purchase or integration of hardware, software, or third-party technology services. IT Security Assessments must be updated periodically to monitor the environment for risks. IT Security Assessments must be updated following the frequency described below:
- Category A - ePHI, HIPAA: Every 2 years
- Category B - PCI/Credit Card: Every 3 years
- Category C - FERPA/GLBA/Teaching: Every 3 years
- Category D1 - CUI/ITAR/Export Control: Every year
- Category D2 - Research: Every 3 years
- Category E - Administrative: Every 3 years
- Category F - Public: Every 5 years
- Third Parties may include service or technology providers, contractors, vendors, and agents who are not employed by or directly affiliated with OU. Third Parties must undergo a Vendor Risk Assessment to verify they have implemented security measures comparable to OU minimum security requirements. Vendors and/or systems with a score at or below C (600 or below) shall require department leadership and IT governance approval.
- An IT Risk Assessment must be completed annually for any College, Department, or Unit that manage or. operating hardware, software, or third-party technology services.
Risk Treatment
Risk Treatment is the process of deciding how to respond to risk.
- Risk remediation is a decision to systematically reduce the risk. Data Owners or Stewards shall work with OU IT GRC to develop risk remediation plans where feasible.
- Critical risks require immediate action to reduce the risk. Hardware, software, or third-party service with critical risk exposure may be required to be disconnected until resolutions or mitigations are found. Critical risks found during an assessment must be communication upon discovery.
- High risks require prompt action to reduce the risk. All high risks must be reduced before the close of the next semester or instruction.
- Medium risks must be prioritized within three (3) months of identification and be remediated based on prioritization.
- Low risks require documentation in the risk register and be reviewed at the next assessment, or sooner if changes to the likelihood or impact become apparent.
- Risk acceptance is a decision where the cost of remediating the risk is acceptable because the risk level is insufficient to justify the cost.
- Critical or High risks must be approved by ITESC.
- Medium must be approved by the appropriate Tier II IT Governance Committee.
- Low risks must be approved by the Data Owner.
- Risk transfer is a decision where the risk responsibility is transferred to another entity (e.g., Business Associate, cyber insurance, or other legally binding contract).
Risk Management
Risk management is the ongoing management process of assessing risks and implementing plans to address them.
- Risks identified during IT Security Assessments and Vendor Risk Assessments must be captured in the OU IT vendor risk register for management and tracking. Vendor risks are identified by many sources including, but not limited to vulnerability scanning, security incident and event monitoring, vendor notifications, and other continuous monitoring.
- Risks identified during Privacy Impact Assessments must be captured in the OU IT risk register for management and tracking purposes. Data privacy risks are identified by many sources including, but not limited to data usage requests, security incident and event monitoring, and audits.
- Risks identified during IT Risk Assessments must be captured in the OU IT risk register for management and tracking purposes.
- The IT Risk Assessment point of contact must prioritize IT risks and present a risk management plan that will allocate resources to ensure compliance with policies and regulations for approval to the Data Owner. A single Data Owner cannot determine the treatment for a risk that can impact resources shared within the OU enterprise.
- Data Owners must oversee the completion of the risk treatment and provide notification to OU IT GRC when the risk treatment activity has been completed.
- OU IT GRC must review the treatment activity work completed, validate that the issue has been addressed.
- In situations where a risk has the potential to impact resources under the care of more than one Data Owner, the Chief Information Security Officer (CISO) is responsible for coordinating the risk treatment strategy with all impacted Data Owners.
Risk Reporting
- OU IT GRC must periodically report risk and compliance measures to the Cybersecurity and Infrastructure Advisory Committee (CIAC), Information Technology Executive Steering Committee (ITESC), and the Board of Regents through a formal IT Risk Management Program.
References
- Data Governance Policy
- National Institute of Standards and Technology Cybersecurity Framework (CSF)
- National Institute of Standards and Technology Special Publication 800-171, Controlled Unclassified Information
- Health Insurance Portability and Accountability Act of 1996 (HIPAA), Security Rule, §164.308(b)(1), 164.308(b)(4), 164.312(c)(1), 164.312(c)(2), 164.312€(2)(i), 164.314(a)(1), 164.314(a)(2)(i), 164.314(a)(2)(ii)
- General Data Protection Regulation (GDPR)
- Payment Card Industry (PCI) Data Security Standards
- Gramm-Leach-Bliley Act (GLBA)
- Family Education Rights and Protection Act (FERPA)
Revision, Review, and Approval History
- October 2023: OU IT Governance, Risk, and Compliance: Initial draft, opened for comments
- January 2024: OU IT Governance, Risk, and Compliance: Comment period closed
- January 2024: Office of Compliance: Standard reviewed, comments submitted
- February 2024: OU IT Governance, Risk, and Compliance: The criteria for remediating risks has been moved to Risk Treatment item #1.
- March 2024: Internal Audit: Standard reviewed, comments submitted
- March 2024: OU IT Governance, Risk, and Compliance: Minor revision to policy statement. Updated "Department IT" references.
- March 2024: Cybersecurity and Infrastructure Advisory Committee (CIAC): Reviewed standard, recommended for approval
- July 2024: Standard approved by Chief Information Officer