• Home
• About
• Mission
• Governance
• Risk Management
  • Risk Assessment Toolkit
  • Risk Quadrant/Maps
  • Risk Management 101
• Policy and Compliance Management
• Incident Management
• Continuity of Operations Planning Management
• Security Awareness and Training Management
• Information Security Program Reporting
• Security Officers & Groups
• Events
• Library
• National Cyber Security Awareness
• Related Sites
• Legal Links
• Contact USG InfoSec

Home » Risk Management

Risk Management

Risk management is the act or practice of controlling risk. The risk process includes identifying and tracking risk areas, developing risk mitigation plans as part of risk handling, monitoring risks and performing risk assessments to determine how risks have changed

Overview

The following resources provide policy, standards, and guidelines to assist University System Office and Institutions in the development and maintenance of their risk management programs.

Risk Management

Risk management is the process of taking actions to avoid or reduce risk to acceptable levels. This process includes both the identification and assessment of risk through risk analysis and the initiation and monitoring of appropriate practices in response to that analysis through the University System of Georgia's (USG) institutions risk management program. USG institutions need to ensure the integrity of IT resources by protecting them from unauthorized access, modification, destruction, or disclosure and to ensure the physical security of these resources.

Risk Analysis

As an essential aspect of its information technology security and risk management program, each USG institution that employs information technology must establish a risk analysis process to identify and assess risks associated with its information assets and define a cost-effective approach to managing such risks. Specific risks that must be addressed include, but are not limited to:

• those associated with accidental and deliberate acts on the part of USG institution employees and outsiders;
• fire, flooding, and electric disturbances; and,
• loss of data communications capabilities.

The risk analysis process must identify and prioritize critical applications of information technology. When establishing priorities, USG institutions should consider that applications may become more critical as the period of unavailability increases and that processing cycles (i.e. monthly, quarterly or yearly) may have an impact upon the prioritization of applications. The risk analysis process must be carried out with sufficient regularity to ensure that the USG institution's approach to risk management is a realistic response to the current risks associated with its information assets. In general, the risk analysis process should be a cyclical process for most USG institutions. USG institutions should complete the comprehensive risk analysis cycle at least every two years and whenever there has been a significant change in their use of information technology. This cycle ends with the preparation of a report documenting the risk assessment.

The risk analysis process should include the following:

• Assignment of responsibilities for risk assessment, including appropriate participation of executive, technical, and program management.
• Identification of the USG institutional information assets that are at risk, with particular emphasis on the applications of information technology that are critical to the USG institution's program operations. A critical application, from a system-wide perspective, is an application that is so important to the USG that the loss or unavailability of the application is unacceptable. With a critical application, even short-term unavailability of the information provided by the application would have a significant negative impact on the health and safety of USG workers; on the fiscal or legal integrity of USG operations; or, on the continuation of essential USG institution programs.
• Identification of the threats to which the information assets could be exposed.
• Assessment of the vulnerabilities, i.e., the points where information assets lack sufficient protection from identified threats.
• Determination of the probable loss or consequences, based upon quantitative and qualitative evaluation, of a realized threat for each vulnerability and estimation of the likelihood of such occurrence.
• Identification and estimation of the cost of protective measures, which would eliminate or reduce the vulnerabilities to an acceptable level.
• Selection of cost-effective security management measures to be implemented.
• Preparation of a report to be submitted to the USG - Office of Information Security (upon request) and to be kept on file within the USG institution, documenting the risk assessment, the proposed plan of action & milestones, security management measures, the resources necessary for security management, and the amount of remaining risk to be accepted by the USG institution.

USG Institution Risk Management Program

The practice of information technology risk management within the USG Institution must be based upon the results of the institution's risk analysis process. Obtaining resources for risk management is subject to the same technical, programmatic, and budgetary justification and review processes required for any information technology program. The risk management practices implemented by the institution will vary depending upon the nature of the institution's information assets. Among the practices that must be included in each institution's risk management program are:

• Organizational and Management Practices
• Personnel Practices
• Physical Security Practices
• Information Integrity and Data Security Practices
• Personal Computer Security Practices
• Software Integrity Practices

Risk Assessment Toolkit

• Risk Assessment Toolkit

These are tools for the University System Office and Institutions to use in identifying information security risks and to help mitigate the issues.

Managing Enterprise Risk

Key activities/steps in managing enterprise-level risk - risk resulting from the operation of an information system:

1. Categorize the information system (criticality/sensitivity)
2. Select and tailor baseline (minimum) security controls
3. Supplement the security controls based on risk assessment
4. Document security controls in system security plan
5. Implement the security controls in the information system
6. Assess the security controls for effectiveness
7. Authorize information system operation based on mission risk
8. Monitor security controls on a continuous basis

Key Risk Management Standards & Guidelines

• FIPS Publication 199 (Security Categorization)
• FIPS Publication 200 (Minimum Security Requirements)
• NIST Special Publication 800-18 (Security Planning)
• NIST Special Publication 800-30 (Risk Management)
• NIST Special Publication 800-37 (Certification & Accreditation)
• NIST Special Publication 800-53 (Recommended Security Controls)
• NIST Special Publication 800-53A (Security Control Assessment)
• NIST Special Publication 800-59 (National Security Systems)
• NIST Special Publication 800-60 (Security Category Mapping)

Many other FIPS and NIST Special Publications provide security standards and guidance supporting the FISMA legislation

---

The University System - Office of Information Security (OIS) web site contains links to other sites that are not owned or controlled by us. The information provided at these sites does not reflect the views of this Office or indicate an endorsement of a particular company or product. Please be aware that our Office is not responsible for the security and privacy practices of such other sites.