ITS Security Policy 114 - Information Security Risk Management

Tags security

Status: TDX Submitted Draft
Last Revision Date: July 13, 2022

Purpose

The purpose of this policy is to ensure that risks to Clackamas Community College Electronic Information Resources are properly assessed and managed to uphold confidentiality, integrity, availability, and privacy. This policy establishes a structured framework for a formal risk management program governing Electronic Information Resources.

Policy Summary

The Chief Information Officer (CIO) shall implement a risk management program designed to minimize information security risk exposure to a level deemed acceptable by the Clackamas Community College Executive Team. The risk management program must comply with all applicable laws and regulations governing Clackamas Community College.

Policy

  1. The Clackamas Community College Information Technology Services (ITS) Department may not always be the owner of an Electronic Information Resource and may instead serve as a custodian. When implementing a Risk Management Plan, ITS shall collaborate with the resource owner to classify the resource and assess its associated risks. The ITS Department shall be responsible for designing and implementing the necessary technical controls to reduce and/or mitigate vulnerabilities in Electronic Information Resources.

  2. When the ITS Department is not the owner of an Electronic Information Resource, the CIO shall ensure that all identified threats regarding the resource are clearly communicated to the resource owner.

  3. The CIO shall establish and maintain an information security risk management program that:

    • Manages risk in accordance with the standards set by the Clackamas Community College Executive Team and aligns with the College’s mission.

    • Ensures compliance with applicable laws and regulations.

    • Adopts industry best practices, including NIST SP 800-39, ISO, and COBIT.

    • Evaluates threats from both internal and external sources, including physical threats and risks associated with Electronic Information Resources hosted by third-party services.

    • Reduces assessed risks to a level at or below the acceptable risk tolerance defined by the Clackamas Community College Executive Team.

    • Integrates with the College’s disaster recovery and business continuity plans to ensure the availability of Electronic Information Resources.

    • Establishes a methodology for assessing and responding promptly to previously unidentified critical threats and vulnerabilities.

Exemptions

None.

Exceptions

Any exceptions to this policy must be pre-approved in writing by the Chief Information Officer (CIO).

 

Print Article