Risk Assessment Policy

Purpose

To provide �鶹��ý with guidance in identifying and gaining an understanding of the components of the institution that make up its information security system and thereby enable �鶹��ý to manage cybersecurity risk to systems, assets, data, and capabilities.

Policy

Risk assessments take into account threats, vulnerabilities, likelihood, and impact to �鶹��ý assets, individuals, and other organizations based upon the use of the �鶹��ý system. �鶹��ý periodically conducts assessments of risk, which include the likelihood and magnitude of harm from the unauthorized access, use, disclosure, disruption, modification and/or destruction of the �鶹��ý system, system components, and the information processed, stored or transmitted by the system. Risk assessment results are documented and reviewed by the �鶹��ý Security Official or designee. The risk assessment results are then disseminated to appropriate faculty and staff including, but not limited to, the �鶹��ý executive staff. Risk assessments are conducted annually by �鶹��ý or whenever there are significant changes to �鶹��ý, its system, or other conditions that may impact the security of �鶹��ý.

Summary

Physical (hardware) and software assets will be assessed as to vulnerability and those vulnerabilities will be documented.
From time to time a vulnerability scan on those assets will be conducted in order to assess vulnerability in either the information system or its hosted applications.
�鶹��ý uses a variety of sources in order to assist in determining asset vulnerabilities.
These sources can include but are not limited to US-CERT bulletins, InfraGard, the Federal Trade Commission (FTC) and the Research Education Networking Information Sharing and Analysis Center (RENISAC)
When threats are identified they will be documented as to type of threat, a description of the threat and the characteristics of the threat.
Threats will be classified in relationship to the potential for adverse impact on the College.
Once a risk is identified, it will be reduced or mitigated.
�鶹��ý understands that risks exist regardless of efforts and will address risks as they become suspected or evident.

Risk Assessment Policy Details [pdf]

�鶹��ý

Purpose

Policy

Summary

Mailing Address

Get in touch

Connect

Give back to

Pomona

�鶹��ý