501: Risk Assessment

Information Security Policies & Procedures Manual
Section 500: Security Operations
Effective: 01/11/2010
Revised: 02/20/2014

Purpose

The purpose of this section is to articulate how OSU will conduct risk assessment by first proactive and then reactive means.

Procedure

TThe proactive component will include the conducting of regular risk assessments on systems declared critical by the University, or on systems that house or process Protected or Sensitive Information by the Office of Information Security or by Internal Audit or an agent acting on their behalf. This will ensure that data elements identified as Protected or Sensitive have the appropriate security measures in place to protect them.

The reactive component of risk assessment will be a periodic review of information security incidents.  The Chief Information Security Officer will periodically review the tracked information security incidents and will identify problem areas to be addressed in an Annual Information Security report to the Chief Information Officer.