Purpose
This policy establishes the requirements for the identification and assessment of Information Security related risks facing UMGC ("University") to inform decision-making regarding risk tolerance and acceptance. This policy supports the UMGC Policy on Enterprise Risk Management and the University System of Maryland (USM) IT Security Standards by further establishing standards related to Information Security risk assessment procedures and mitigation strategies.
Scope and Applicability
This policy applies to all Users of UMGC Information Resources.
The Information Security Office shall establish an Information Security Risk Management Program to identify Information Security related risks and implement procedures to address and manage the risks.
Risk management procedures shall include risk analysis, risk treatment, risk communication, risk monitoring, review, and signoff.
Periodic Information Security risk assessments will be performed to determine areas of vulnerability and to initiate appropriate remediation. These assessments will evaluate risk related to administrative, physical, and technical operational areas to include Critical Information Systems (CIS). Risk assessments shall include:
A list of systems and other services defined as "high-risk" by the institution;
A description of potential risks;
Potential remediation plans of actions and milestones (POA&Ms);
An explanation of residual risks; and
Sign-off by the Sr. Director of Information Security once actions regarding risk mitigation or acceptance have been completed.
All Information Systems must be assessed for risk to the University prior to purchase of, or significant changes to systems that store, process, or transmit data.
Employees and Contractors shall provide support during Information Security risk assessments when applicable to their University business areas to include, but not limited to, being interviewed, providing relevant artifacts, and assisting in the remediation of identified risks.
The Information Security Governance Committee (ISGC) will convene periodically to review the results of the risk assessments and to determine the disposition of potential risks.
Exceptions Exceptions to this policy should be submitted to Information Security for review and approval.
Enforcement
Any Employee, Contractor, or third-party performing duties on behalf of the University with knowledge of an alleged violation of this Policy shall notify Information Security as soon as practicable.
Information System Stewards in consultation with the Office of Human Resources may instruct Access Account Managers, or other appropriate personnel to confiscate, temporarily suspend, or terminate Users' access to Information Resources while investigating an alleged violation of this Policy.
Any Employee, Contractor, or other third-party performing duties on behalf of the University who violates this Policy may be denied access to Information Resources and may be subject to disciplinary action, up to and including termination of employment or contract.
Standards Referenced
USM IT Security Standards, v.5, dated July 2022
NIST SP 800-171r2 "Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations," dated February 2020
Cybersecurity Maturity Model Certification (CMMC), v.2.0, dated December 2021