Information Security: Risk Management

Original Issuance Date: October 13, 2020

Last Revision Date: November 11, 2022

Effective Date: January 1, 2022

1. Policy Purpose

The purpose of this policy is to provide a formal structure for the management of information security (IS) risks occurring within the University of Wisconsin (UW) System. IS risk management protects the confidentiality, integrity, and availability of UW IT assets in compliance with applicable UW System policies, state and federal regulations, and industry guidelines.

2. Responsible UW System Officer

Associate Vice President (AVP) for Information Security

3. Scope and Institutional Responsibilities

This policy is applicable to all UW System institutions and identifies the parameters for assessing risk of all institution owned or leased IT assets and/or systems that store or process data used to accomplish research, teaching, learning, administration, or fulfill public service.

4. Background

The President of the UW System is empowered to establish information security polices under Regent Policy Document 25-5, Information Technology: Information Security. The UW System is committed to a secure information technology environment in support of its mission. The information security risk management principles described within this policy are designed to help ensure satisfactory and consistent practices to address and mitigate information security risk throughout all UW System institutions.

5. Definitions

Please see SYS 1000, Information Security: General Terms and Definitions, for a list of general terms and definitions. Terms and definitions found within this policy include:

IT Asset
Control
Data
Inherent Risk
Risk
Risk Executive
Risk Management
Risk Assessment
Risk Treatment

6. Policy Statement

Information security risk associated with all IT assets must be formally managed, as described in UW System Administrative Procedure 1039.A, Information Security: Risk Management and UW System Administrative Procedure 1039.B, Information Security: Notification of Risk Acceptance, to ensure that the likelihood and impact of threats and vulnerabilities are understood and minimized to the furthest extent practical.

Information security risks and the assessment of those risks will be compiled and maintained in a centralized repository known as the UW System Risk Register. Risks will be identified through a variety of sources, including but not limited to, internal and external audits and assessments, systems monitoring, vulnerability scans, penetration tests, and incident investigations. UW System leadership will convene regularly, in the form of a Risk and Compliance Council, to evaluate and prioritize any mitigation actions to address identified risks.

A. Requirements

As part of the Information Security Risk Management process, the UW System institutions will be required to:

Identify and Document: Formally identify and document information security risks.
Manage: Manage the lifecycle of information security risks in a formal and consistent manner and ensure that risks are aligned with the UW System Administrative Procedure 1039.A, Information Security: Risk Management.
Report: Report information security risks as described in UW System Administrative Procedure 1039.A, Information Security: Risk Management.
Implement/Maintain Security Controls: Implement, administer, and maintain information risk treatments necessary to reduce risk to an acceptable level occurring within the UW System, when a given risk is determined to be unacceptable.

B. Risk Acceptance

In a situation in which a UW institution does not implement a control or process to manage an identified risk, such a decision must be formally documented, as described in UW System Administrative Procedure 1039.B, Information Security Notification of Risk Acceptance. For UW System Administration, the Vice President for Finance and Administration shall serve in place of the Chancellor, in relation to responsibilities identified within UW System Administrative Procedure 1039.B.

C. Training

The UW System Office of Information Security will ensure information security risk management training materials are made available to Risk Executives, UW System leaders, managers, system developers and users.