INFORMATION SECURITY RISK MANAGEMENT POLICY
Policy Objective
To establish a process to manage risks to Parkland College that result from threats to the confidentiality, integrity, and availability of Parkland College systems and data.
Scope
All data created, processed, stored, or transmitted by Parkland College and the related information systems, services, and individuals interacting with the data.
Policy
Section 1 – Risk Management
Management of risk is a critical component of any information security program, as it allows organizational change and improvement while minimizing negative impacts of potential outcomes. It helps ensure that any risks to confidentiality, integrity, and availability of systems and data are identified, analyzed, and treated.
-
All systems, data, and processes must be assessed for risk to Parkland College.
-
Risk must be evaluated prior to the purchase or processing of, or significant changes to, an information system or asset.
-
Risk assessments must be performed by system and data owners for existing systems and data at regular intervals.
-
Once risk is identified, a treatment shall be applied. Any untreated risk must be evaluated by Parkland College Administration for possible acceptance.
-
Every system requires a system security plan with scheduled risk assessments and assigned personnel or roles to conduct and maintain them.
-
Risks must be considered when change is planned for information systems and assets.
-
Risks must be documented and prioritized for treatment.
-
Mitigations must be cost effective relative to the system or asset being protected, considering any potential monetary, collateral, or reputational damage
-
Information Security risk identification and mitigation activities must comply with the Risk Management Standard
Standards:
ISP-03 - Risk Management Standard (login required)