ÐÒ¸£±¦µ¼º½

Skip Navigation

UMGC Policy X-1.18 Information Security Risk Management

Policy CategoryPolicy OwnerVersion Effective DateReview CyclePolicy Contact
X. Information Governance, Security & TechnologyChief Transformation OfficerOct. 31, 2023Every 3 yearsUMGC Information Security
  1. Purpose
    This policy establishes the requirements for the identification and assessment of Information Security related risks facing UMGC ("University") to inform decision-making regarding risk tolerance and acceptance. This policy supports the UMGC Policy on Enterprise Risk Management and the University System of Maryland (USM) IT Security Standards by further establishing standards related to Information Security risk assessment procedures and mitigation strategies.
  2. Scope and Applicability
    This policy applies to all Users of UMGC Information Resources.
  3. Definitions
    Defined terms are capitalized throughout this Policy and can be found in the Information Governance Glossary.
  4. Information Security Risk Management
    1. The Information Security Office shall establish an Information Security Risk Management Program to identify Information Security related risks and implement procedures to address and manage the risks.
      1. Risk management procedures shall include risk analysis, risk treatment, risk communication, risk monitoring, review, and signoff.
    2. Periodic Information Security risk assessments will be performed to determine areas of vulnerability and to initiate appropriate remediation. These assessments will evaluate risk related to administrative, physical, and technical operational areas to include Critical Information Systems (CIS). Risk assessments shall include:
      1. A list of systems and other services defined as "high-risk" by the institution;
      2. A description of potential risks;
      3. Potential remediation plans of actions and milestones (POA&Ms);
      4. An explanation of residual risks; and
      5. Sign-off by the Sr. Director of Information Security once actions regarding risk mitigation or acceptance have been completed.
    3. All Information Systems must be assessed for risk to the University prior to purchase of, or significant changes to systems that store, process, or transmit data.
    4. Employees and Contractors shall provide support during Information Security risk assessments when applicable to their University business areas to include, but not limited to, being interviewed, providing relevant artifacts, and assisting in the remediation of identified risks.
    5. The Information Security Governance Committee (ISGC) will convene periodically to review the results of the risk assessments and to determine the disposition of potential risks.
  5. Exceptions
    Exceptions to this policy should be submitted to Information Security for review and approval.
  6. Enforcement
    1. Any Employee, Contractor, or third-party performing duties on behalf of the University with knowledge of an alleged violation of this Policy shall notify Information Security as soon as practicable.
    2. Information System Stewards in consultation with the Office of Human Resources may instruct Access Account Managers, or other appropriate personnel to confiscate, temporarily suspend, or terminate Users' access to Information Resources while investigating an alleged violation of this Policy.
    3. Any Employee, Contractor, or other third-party performing duties on behalf of the University who violates this Policy may be denied access to Information Resources and may be subject to disciplinary action, up to and including termination of employment or contract.
  7. Standards Referenced
    1. USM IT Security Standards, v.5, dated July 2022
    2. NIST SP 800-171r2 "Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations," dated February 2020
    3.  Cybersecurity Maturity Model Certification (CMMC), v.2.0, dated December 2021
  8. Related Policies
    1. UMGC Policy VIII-20.01 Enterprise Risk Management
    2. UMGC Policy X-1.02 Data Classification
    3. UMGC Policy X-1.04 Information Security
    4. UMGC Policy X-1.05 Information Security Awareness & Training
    5. UMGC Policy X-1.12 Acceptable Use
    6. UMGC Policy X-1.19A Account Management (Learner Community)
    7. UMGC Policy X-1.19B Account Management (Workforce)
  9. Version Effective Date
    This policy is effective as of the date set forth above and supersedes all prior policies on the subject matter hereof.