Rule 4-004B Information Security Risk Management, Rev. 1

  1. PURPOSE AND SCOPE
    1. The purpose of this Information Security Risk Management Rule is to establish the University's risk management program. The objective of University's Risk Management Program is to support University's core institutional and research missions as well as patient safety and quality of care goals, while also mitigating financial, operational, reputational and regulatory compliance risk. This Information Security Risk Management Rule shall enable the University to accomplish its missions by:
      1. Securing the Information Systems that create, maintain, process, or transmit University data designated as "Restricted" or "Sensitive" per the University's Data Classification and Encryption Rule.
      2. Enabling the appropriate University personnel to make well-informed decisions regarding risk and risk management.
    2. This Rule supports section B, titled Information Security Risk Management, of the University of Utah Information Security Policy 4-004.
  2. DEFINITIONS
    The definitions provided in Policy 4-004: University of Utah Information Security Policy, apply for purposes of this Rule, including the following:
    1. Confidential - Any Information Asset which is classified as Restricted or Sensitive per the Data Classification and Encryption Rule.
    2. Information System - An Application or group of Servers used for the electronic stroage, processing, or transmitting of any University data or Information Asset.
    3. Restricted Data - Any data types classified as Restricted per the Data Classification and Encryption Rule.
    4. Risk - Risk is the likelihood of a threat agent taking advantage of a vulnerability and the corresponding business impact.  Risk is usually calculated as either a quantitative or qualitative score, and can be represented in the following equation: Risk = (Likelihood of Threat/Vulnerability Event Occurrence) X (Business Impact of Event Occurring)
        1. Inherent Risk – Inherent Risk is defined as the likelihood and impact of loss arising out of circumstances or existing in an environment, IT Resource, or Information System in the absence of any action to control or modify the circumstances. 
        2. Residual Risk – Residual Risk is the risk of an IT Resource that remains after controls or other mitigating factors have been implemented.
    5. Sensitive Data – Any data type classified as Sensitive per the Data Classification and Encryption Rule.
    6. User – Any person, including students, staff, faculty, permanent and temporary employees, contractors, vendors, research collaborators, and third party agents, who accesses any University Electronic Resources, Information Systems, and/or IT Resources.
  3. RULE
      1. The University's information security risk management methodology is based foremost on the National Institute of Standards and Technology (NIST) Special Publication 800-30 "Risk Management Guide for Information Technology Systems" methodology.
      2. The University's information security control framework is based foremost on the Internal Organization for Standardization (ISO) 27002:2013 control framework and additionally incorporates other relevant control requirements tailored to the University's risk tolerance, and as specified in applicable regulations.
      3. Risk Assessment
        1. Inherent risk scores are calculated based on the following five (5) vectors of risk, which assess both the likelihood and impact of compromise:
          1. Impact: The number of Users who access the Information System
          2. Impact: The number of individual data records stored on the Information System
          3. Likelihood: The type of architecture that Information System employs
          4. Likelihood: The types of Users that access the Information System
          5. Likelihood and Impact: The highest classification of data the Information System creates, maintains, processes, or transmits
        2. Residual risk scores are calculated based on the inherent risk score and the percentage of compliance of the control objectives assessed during a full risk assessment. A full risk assessment includes the following elements:
          1. Entity level controls
          2. System level controls
      4. Risk Management
        1. The appropriate University key stakeholders shall be issued both Inherent and Residual Risk scores in risk assessment summary reports for all Information Systems assessed. These stakeholders will be responsible for either formally accepting the risk of operating the Information System in the University's environment, or rejecting the risk and requiring a formal corrective action plan to allocate the appropriate timelines, budget line items, and/or other resources to remediate control failures and reduce the Residual Risk score to an acceptable level for the University.
    1. [Note:  Parts IV-VII of this Regulation (and all other University Regulations) are Regulations Resource Information – the contents of which are not approved by the Academic Senate or Board of Trustees, and are to be updated from time to time as determined appropriate by the cognizant Policy Officer and the Institutional Policy Committee, as per Policy 1-001 and Rule 1-001.]
  4. RULES, PROCEDURES, GUIDELINES, FORMS, and OTHER RELATED RESOURCES
    1. Rules
      1. TBD
    2. Procedures
      1. Policy 4-004 Procedures
    3. Guidelines
      1. TBD
    4. Forms
    5. Other Related Resources
  5. REFERENCES
    1. 45 C.F.R. 164: Health Insurance Portability and Accountability Act (HIPAA): Security and Privacy
    2. Family Educational Rights and Privacy Act of 1974 ("FERPA", 20 U.S.C. § 1232g)
    3. Federal Information Security Management Act of 2002 ("FISMA", 44 U.S.C. § 3541)
    4. ISO 27002:2013, Information Technology - Security Techniques - Code of Practice for Information Security Controls
    5. NIST 800 Series, Federal Information Security Standards
    6. Policy 3-070: Payment Card Acceptance
    7. Policy 4-001: University Institutional Data Management
    8. Policy 4-003: World Wide Web Resources Policy
    9. Policy 5-111: Disciplinary Actions and Dismissal of Staff Employees
    10. Policy 6-400: Code of Student Rights and Responsibilities
    11. Policy 6-316: Code of Faculty Rights and Responsibilities
    12. Pub. 111-5, Division A, Title XIII, Subtitle D: Health Information Technology for Economic and Clinical Health Act (HITECH Act)
    13. Omnibus HIPAA Rule: 45 CFR Parts 160 and 164 - Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the HITECH Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules; Final Rule
    14. Cyber Security Framework: The Cyber Security Framework, created through collaboration between industry and government, consists of standards, guidelines, and practices to promote the protection of critical infrastructure. The prioritized, flexible, repeatable, and cost-effective approach of the Framework helps owners and operators of critical infrastructure to manage cybersecurity-related risk
  6. CONTACTS
    1. The designated contact Officials for this Policy are:
      1. Policy Owner (primary contact person for questions and advice): Chief Information Security Officer, 801-213-3397
      2. Policy Officer; Chief Information Officer, 801-581-3100
    2. These officials are designated by the University President or delegee, with assistance of the Institutional Policy Committee, to have the following roles and authority, as provided in University Rule 1-001:
    3. A 'Policy Officer' will be assigned by the President for each University Policy, and will typically be someone at the executive level of the University (i.e., the President and his/her Cabinet Officers). The assigned Policy Officer is authorized to allow exceptions to the Policy in appropriate cases.... "
    4. "The Policy Officer will identify an 'Owner' for each Policy. The Policy Owner is an expert on the Policy topic who may respond to questions about, and provide interpretation of the Policy; and will typically be someone reporting to an executive level position (as defined above), but may be any other person to whom the President or a Vice President has delegated such authority for a specified area of University operations. The Owner has primary responsibility for maintaining the relevant portions of the Regulations Library... .[and] bears the responsibility for determining -requirements of particular Policies... ." University Rule 1-001-III-B & E
  7. HISTORY
    1. Current version: Revision 1, effective date: April 4, 2016
      1. Approved by Academic Senate: May 4, 2015
      2. Approved by Board of Trustees: May 12, 2015
      3. Background information for this version

Rule: 4-004B Rev: 1
Date: April 4, 2016