��Ĵ�ý Policy on Information Security Risk Management

Policy Category	Policy Owner	Version Effective Date	Review Cycle	Policy Contact
X. Information Governance, Security & Technology	SVP, General Counsel, and Chief People Officer	Oct. 31, 2023	Every 3 years	Information Governance

Purpose
This policy establishes the requirements for the identification and assessment of Information Security related risks facing ��Ĵ�ý ("University") to inform decision-making regarding risk tolerance and acceptance. This policy supports the ��Ĵ�ý Policy on Enterprise Risk Management and the University System of Maryland (USM) IT Security Standards by further establishing standards related to Information Security risk assessment procedures and mitigation strategies.
Scope and Applicability
This policy applies to all Users of ��Ĵ�ý Information Resources.
Definitions
Defined terms are capitalized throughout this Policy and can be found in the Information Governance Glossary.
Information Security Risk Management
1. The Information Security Office shall establish an Information Security Risk Management Program to identify Information Security related risks and implement procedures to address and manage the risks.
  1. Risk management procedures shall include risk analysis, risk treatment, risk communication, risk monitoring, review, and signoff.
2. Periodic Information Security risk assessments will be performed to determine areas of vulnerability and to initiate appropriate remediation. These assessments will evaluate risk related to administrative, physical, and technical operational areas to include Critical Information Systems (CIS). Risk assessments shall include:
  1. A list of systems and other services defined as "high-risk" by the institution;
  2. A description of potential risks;
  3. Potential remediation plans of actions and milestones (POA&Ms);
  4. An explanation of residual risks; and
  5. Sign-off by the Sr. Director of Information Security once actions regarding risk mitigation or acceptance have been completed.
3. All Information Systems must be assessed for risk to the University prior to purchase of, or significant changes to systems that store, process, or transmit data.
4. Employees and Contractors shall provide support during Information Security risk assessments when applicable to their University business areas to include, but not limited to, being interviewed, providing relevant artifacts, and assisting in the remediation of identified risks.
5. The Information Security Governance Committee (ISGC) will convene periodically to review the results of the risk assessments and to determine the disposition of potential risks.
Exceptions
Exceptions to this policy should be submitted to Information Security for review and approval.
Enforcement
1. Any Employee, Contractor, or third-party performing duties on behalf of the University with knowledge of an alleged violation of this Policy shall notify Information Security as soon as practicable.
2. Information System Stewards in consultation with the Office of Human Resources may instruct Access Account Managers, or other appropriate personnel to confiscate, temporarily suspend, or terminate Users' access to Information Resources while investigating an alleged violation of this Policy.
3. Any Employee, Contractor, or other third-party performing duties on behalf of the University who violates this Policy may be denied access to Information Resources and may be subject to disciplinary action, up to and including termination of employment or contract.
Standards Referenced
1. USM IT Security Standards, v.5, dated July 2022
2. NIST SP 800-171r2 "Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations," dated February 2020
3. Cybersecurity Maturity Model Certification (CMMC), v.2.0, dated December 2021
Related Policies
Version Effective Date
This policy is effective as of the date set forth above and supersedes all prior policies on the subject matter hereof.

��Ĵ�ý

��Ĵ�ý Policy X-1.18 ��Ĵ�ý Policy on Information Security Risk Management

EXPLORE MORE OF ��Ĵ�ý

EXPLORE MORE OF ��Ĵ�ý

���Ĵ�ý

���Ĵ�ý Policy X-1.18 ���Ĵ�ý Policy on Information Security Risk Management

EXPLORE MORE OF ���Ĵ�ý

EXPLORE MORE OF ���Ĵ�ý

��Ĵ�ý

��Ĵ�ý Policy X-1.18 ��Ĵ�ý Policy on Information Security Risk Management

EXPLORE MORE OF ��Ĵ�ý

EXPLORE MORE OF ��Ĵ�ý