UMGC Policy X-1.18

Information Security Risk Management

Policy Category Policy No. & Title Policy Owner Effective Date Revision Number Revision Eff. Date Review Cycle

X
Information Governance, Security & Technology

X-1.18
Information Security Risk Management

VP of Information Security

July 15, 2021

N/A

N/A

Every 3 years

  1. Purpose

    The purpose of this policy is to establish the requirements for the identification and handling of Information Security related risks facing UMGC ("University") to promote informed decision-making regarding risk tolerance and acceptance. The University understands the importance of managing internal and external risks to protect the Confidentiality, Integrity and Availability of Information Resources by establishing procedures to assess the sufficiency of Information Security controls in place.

  2. Scope and Applicability

    This policy and its supporting standards and procedures apply to all Users of UMGC Information Systems and information Resources.

  3. Definitions

    Capitalized terms shall have the meaning ascribed to them herein and shall have the same meaning when used in the singular or plural form or any appropriate tense.

    1. Availability: The principle of ensuring timely and reliable access to and use of Information based upon the concept of Least Privilege.

    2. Confidentiality: The principle of preserving authorized restrictions on Information access and disclosure, including means for protecting personal privacy and proprietary information.

    3. Contractor: A person or a company that undertakes a contract to provide materials or labor to perform a service.

    4. Critical Information Systems (CIS): Inter-related components of Information Resources working together where the loss of confidentiality, integrity, availability, or privacy could be expected to have a severe or catastrophic adverse effect on University operations, assets, or individuals.

    5. Employee: University staff and faculty, including nonexempt, exempt, and overseas staff and collegiate faculty.

    6. Information: Any communication or representation of knowledge such as facts, data, or opinions in any medium or form, including textual, numeric, graphic, cartographic, narrative, or audiovisual.

    7. Information Resources: Anything that is intended to generate, store, or transmit Information.

    8. Information Security: The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability.

    9. Information System: Inter-related components of Information Resources working together for the collection, processing, maintenance, use, sharing, dissemination, or disposition of Information.

    10. Integrity: The principle of ensuring Records and the Information contained therein are accurate and Authentic by guarding against improper information modification or destruction.

    11. User: A member of the UMGC community, including but not limited to Staff and Faculty, and other individuals performing services on behalf of UMGC, including Contractors, volunteers and other individuals who may have a need to access, use or control UMGC Data.

  4. Risk Management

    1. The VP of Information Security shall establish an Information Security Risk Management Program to identify Information Security related risks and implement procedures to address and manage the risks.

    2. Risk management procedures shall include risk analysis, risk treatment, risk communication, risk monitoring, review and signoff.

    3. Periodic Information Security risk assessments will be performed to determine areas of vulnerability and to initiate appropriate remediation. These assessments will evaluate risk related to administrative, physical, and technical operational areas to include Critical Information Systems (CIS). Risk assessments shall include (1) a description of potential risks, (2) potential remediation plans of actions and milestones (POA&Ms), (3) explanation of residual risks, (4) and sign-off by the VP of Information Security once actions regarding risk mitigation or acceptance have been completed.

    4. All Information Systems must be assessed for risk to the University prior to purchase of, or significant changes to systems that store, process or transmit data.

    5. Employees and Contractors shall provide support during Information Security risk assessments when applicable to their University business areas to include, but not limited to, being interviewed, providing relevant artifacts, and assisting in the remediation of identified risks.

    6. The Information Security Governance Committee will convene periodically to review the results of the risk assessments and to determine the disposition of potential risks.

  5. Exceptions

    Exceptions to this policy should be submitted to the VP of Information Security for review and approval.

  6. Enforcement

    1. Any Employee, Contractor, or third-party performing duties on behalf of the University with knowledge of an alleged violation of this Policy shall notify the VP of Information Security as soon as practicable.

    2. Information System Stewards in consultation with the Office of Human Resources may instruct Access Account Managers, or other appropriate personnel to confiscate, temporarily suspend, or terminate Users’ access to Information Resources while investigating an alleged violation of this Policy.

    3. Any Employee, Contractor, or other third-party performing duties on behalf of the University who violates this Policy may be denied access to Information Resources and may be subject to disciplinary action, up to and including termination of employment or contract.

  7. Related Policies

    1. UMGC X-1.02 Data Classification

    2. UMGC X-1.04 Information Security

    3. UMGC X-1.05 Information Security Awareness & Training

    4. UMGC X-1.12 Acceptable Use

    5. Account Management (Learner Community)

    6. Account Management (Workforce)

  8. Effective Date

    This policy is effective as of the date set forth above and supersedes all prior policies on the subject matter hereof.