Skip to main content

6.18 INFORMATION TECHNOLOGY RISK ASSESSMENT

Effective: August 15, 2024

Purpose: Information Technology (IT) security assurance is the degree of confidence with which managerial, technical, and operational security controls protect the information assets of Emporia State University. Administrators must understand the status of the systems’ security controls in order to make informed decisions and investments that appropriately mitigate Information Security risks to an acceptable level.

Scope: This policy applies to all electronic data created, stored, processed or transmitted by Emporia State University, and the Information Systems or technology used with that data.

Responsible Office: Information Technology

Policy Statement: The Information Security Officer (ISO) is responsible for reviewing this policy annually. The ISO also has the responsibility to:

  • Develop and maintain formal Risk Assessment Procedures;
  • Work with Information Technology (IT) and Unit Support personnel to identify risks of the institution’s information systems and infrastructure and the controls required to mitigate identified tasks;
  • Work with the CIO to determine the risk ratings; and
  • Develop or facilitate the development of the Information Security Assessment report.

When investments in controls are warranted:

  • IT will be responsible for implementing the controls on systems managed by IT; and
  • Unit Support Personnel will be responsible for implementing the controls on systems they manage.

The Chief Information Officer (CIO) is responsible for monitoring and reporting compliance with this policy. In all cases, information will be disclosed as required by controlling law.

All Information Systems and technology must be assessed for risk to Emporia State University that results from threats to integrity, availability and confidentiality of Emporia State University data. Assessments should be completed prior to the purchase or acquisition of, or significant changes to, an information system or technology; and at least every two (2) years for systems that store, process, or transmit University data.

Assessments

In coordination with the requesting unit, ESU’s Information Technology Team will conduct risk assessments of information systems as needed using methods identified in the Risk Assessment Procedures. The risk assessment findings, the controls identified, and a risk rating will be developed into the Information Security Assessment report for review by the CIO and the requesting unit.

Risks identified through assessment must be mitigated or accepted prior to the system being placed into operation. Residual risks may only be accepted on behalf of the University by a person with the appropriate level of authority as determined by the CIO. A remediation plan of identified risks must be included in the assessment.

Definitions: All words and phrases shall be interpreted utilizing their plain meanings unless otherwise defined in another University or Board of Regents policy or by statute or regulation.

Procedures: All procedures linked and related to the policies above shall have the full force and effect of policy if said procedures have first been properly approved by the University’s administrator in charge of Information Technology.

[Information Technology procedures - coming soon]

Related Policy Information: [coming soon]

History and Revisions

Adoption Date:
10/13/2009 [FSB 09002 passed by Faculty Senate on 10/06/2009, approved by President, and included in UPM as Policy 3J.05]
Revision Date:
10/02/2013 [Policy updated]
04/26/2019 [FSB 18022 passed by Faculty Senate on 04/16/2019 approved by President]
08/15/2024 [Policy format revised as part of UPM Revision]