ITS Security Policy 114 Information Security Risk Management

Tags security

Security Policy Goals [Link]

Purpose:

The purpose of this policy is to ensure that risks to CCC information assets are considered and managed in order to support the confidentiality, integrity, availability and privacy of these assets. This policy establishes the framework for a formal risk management program for information assets.

Scope:

This policy is intended to address the negative risks associated with operating electronic information systems and networks and is applicable to all individuals, systems, and processes that use, own, manage, store, or otherwise interact with information assets that are owned, managed, or in the custody of CCC.

Policy summary:

The CIO shall implement a risk management program which shall reduce the information security risk exposure to a threshold acceptable to the CCC Executive Team. The risk management program shall comply with all applicable laws and regulations imposed upon CCC.

Policy:

In many cases, CCC’s ITS Department may not be the owner of an information asset and fulfils the role of custodian. With regards to the implementation of a Risk Management Plan, ITS shall include the asset’s owner in determining the classification of the asset and the risks associated with the asset. The ITS department shall be responsible for the design and implementation of the technical controls used to reduce and/or mitigate vulnerable information assets.

Where the ITS department is not the owner of the information asset, the CIO shall ensure that the all known threats regarding the information asset are clearly communicated to the asset’s owner.

The CIO shall implement an information security risk management program that:

  1. Considers and manages risk according to standards set in place by the CCC Executive Team and supports CCC’s mission
  2. Adheres to applicable law and regulations
  3. Follows industry best practices such as NIST SP 800-39, ISO and COBIT.
  4. Considers threats from internal and external sources which shall include physical threats and threats to information assets that are hosted by 3rd party services.
  5. Reduces risk for assessed threats to a level at or below the acceptable risk tolerance level as determined by the CCC Executive Team.
  6. Provides input into CCC’s disaster recovery and continuity of business plans with regards to the availability of electronic information assets
  7. Provides a methodology for assessing and responding to critical threats and/or vulnerabilities that were previously unknown in a timely manner.

Exemptions

None.

Exceptions

Exceptions to this policy must be pre-approved in writing by the Chief Information Officer (CIO).

Policy violation [Link]

Complaint procedures [Link]

Governing standards, policies, and guidelines [Link]

Definitions [Link]

Responsible executive

Chief Information Officer

Last revision date

7-13-2022 srw