Sidebar
Questions?
Please use the contact section below.
Policy Statement
To protect the confidentiality, integrity, and availability of University of Minnesota data in compliance with applicable state and federal laws and regulations, the University of Minnesota has a formal Information Security Risk Management Program. This program includes two procedures that support overall risk management: the process for conducting risk assessments, and the process for managing exceptions to the Information Security Policy.
The University Chief Information Security Officer (CISO) is responsible for managing the Information Security Risk Management Program and coordinating the development and maintenance of program policies, procedures, and standards.
Risk Assessments
The University CISO develops an annual information security risk assessment plan in coordination with collegiate and administrative units across the system (see responsibilities below). Collegiate and administrative units have a responsibility and obligation to ensure risk assessments are performed on their technology, processes, and controls based on risk criticality.
Collegiate and administrative units must:
- Identify all collections and uses of private data to University Information Security upon request.
- Collaborate with the University CISO to complete information security risk assessments.
- Develop and implement a risk treatment plan.
- Report updates to the risk treatment plan to the University CISO or designate.
Units must share with University Information Security results of applicable risk assessments, and any associated risk treatment plans completed by parties other than University Information Security.
Reason for Policy
University data are valuable assets to the University of Minnesota and require appropriate protection. A formal Information Security Risk Management program consistently identifies and tracks information security risks, monitors plans for remediation, and provides guidance for strategic resource planning. It is critical that the University administer formal Information Security Risk Management processes, in order to facilitate compliance with applicable state and federal laws and regulations, protect the confidentiality, integrity, and availability of University of Minnesota data, and enable informed decisions regarding risk tolerance and acceptance.