IT/PPS 04.15 - Risk Management
IT/PPS No. 04.15
Issue No. 2
Effective Date: 5/10/2019
Next Review Date: 3/01/2020 (EY)
Sr. Reviewer: Vice President for Information Technology
- This policy establishes the Division of Information Technology (IT) risk assessment methodology to be applied to information security issues, identified infrastructure deficiencies, audit findings, observations, and recommendations.
Risk Assessment Methodology – a systematic process for describing and quantifying the risks associated with hazardous substances, processes, action or events.
Impact – the effect a single occurrence of a risk will have upon the achievement of the institution’s goals and initiatives.
Information Resources Manager (IRM) – The vice president for Information Technology is the designated IRM.
ISO – Information Security Officer.
Probability – the probability that a risk will become reality.
Risk Score – the impact and probability ratings used to create a final risk tally.
Risk Register – a repository for all risks identified, including information about each risk (e.g., nature of the risk, reference and owner, and mitigation measures).
GUIDELINES AND PROCEDURES
As issues in an area arise (e.g., new audit report, new information security risk assessment, or other process or evaluation that surfaces a potential risk), these items should be categorized by their risk score, which is based upon a combination of probability and impact.
Issues shall be documented, maintained, and managed by each associate or assistant vice president, or equivalent. If the issue is determined to be an information security incident or event, management of the incident will be handled by the Information Security Office or, if classified by the ISO as high risk, the IRM.
The impact shall be classified by one of five values:
Impact Value Impact Description Severe The effect will cause the university to not achieve its goals and initiatives; it is an “institutional show stopper.” Major The effect will cause the component not to achieve its goals and initiatives; it is a “show stopper.” Moderate The effect will cause the institution or component to operate inefficiently or expend unplanned resources to meet goals and initiatives. Minor The effects should be monitored to determine if action is required. Insignificant The measurable effect upon the achievement of institution’s goals and initiatives would be immaterial or insignificant.
The following factors, if pertinent to the risk, may be considered during the assessment of impact: human health and safety, societal or environmental, monetary, business or operations, information technology, information security, public relations, reporting and disclosure, strategic, compliance, and fraud.
The matrix shall classify the probability with one of five values:
Probability Value Probability Description Almost Certain An event is inevitable, or there is a great likelihood that an event will occur. Likely An event will probably occur. Possible The risk is neither extremely likely nor highly unlikely. The probability of an event is similar to occurrences within the normal course of operations. Unlikely The risk of an event is not anticipated. Rare The risk of an event is extremely unlikely or would require a combination of multiple failures.
The following factors, if pertinent to the risk, may be considered during the assessment of probability: history, conflicts of interest, susceptibility to fraud or theft, key changes (including leadership, key personnel, regulations, policies, operating processes, computer systems, software applications, etc.), control activities need improvement, policies and procedures require updates, training, and complexity of unit or process.
PROCEDURES FOR CALCULATING RISK SCORE
The impact and probability ratings are used to create a quantitative calculated risk score encompassing a range from 1 to 25 (R = P x I). Higher scores indicate increased risk.
Probability Impact Insignificant Minor Moderate Major Severe Almost Certain 5 10 15 20 25 Likely 4 8 12 16 20 Possible 3 6 9 12 15 Unlikely 2 4 6 8 10 Rare 1 2 3 4 5
Risk scores are classified into five categories to assist in determining the need for, or immediacy of, response or action.
Risk Classification Action Required Calculated Risk Score Catastrophic Immediate Action 16 - 25 Critical Urgent Action 10 - 15 Moderate Action Needed 5 - 9 Low Monitor 3 - 4 Insignificant No Action 1 - 2
PROCEDURES FOR APPLYING RISK SCORES TO AUDITS AND DEPARTMENTAL RISK ASSESSMENTS
Calculated risk scores should be included, where appropriate, in any risk assessment performed by departments of the Division of IT.
Calculated risk scores should be included in response to any audit finding, recommendation, observation, or area of improvement. When appropriate, this risk score shall guide the management response.
Calculated risk scores should be maintained in each IT department’s risk register, which should be updated regularly.
REVIEWERS OF THIS PPS
Reviewers of this PPS include the following:
Position Date Vice President for Information Technology March 1 EY Chief Information Security Officer March 1 EY Assistant Vice President, IT Assistance Center March 1 EY Assistant Vice President, IT Business Operations March 1 EY Associate Vice President, Technology Innovation Office March 1 EY Associate Vice President, Technology Resources March 1 EY Associate Vice President and University Librarian March 1 EY Special Assistant to the Vice President for Information Technology March 1 EY
This PPS has been reviewed by the following individuals in their official capacities and represents Texas State Information Technology policy and procedure from the date of this document until superseded.
Vice President for Information Technology; senior reviewer of this PPS