Live now: Board of Curators meeting

UM System

Information Security Risk Management

Policy 

To protect the confidentiality, integrity, and availability of University of Missouri data in compliance with applicable state and federal laws and regulations. The University has a formal Information Security Risk Management (ISRM) program that identifies risks and implements safeguards and plans to address and manage identified risks. 

The University Chief Information Security Officer (CISO) is responsible for managing the Information Security Risk Management program and coordinating the development and maintenance of program policies, procedures, and standards. The Information Security Risk Management program includes the process for managing exceptions to the Information Security policy and the risk acceptance process. 

Risk Assessments 

The University CISO develops an annual information security risk assessment plan in consultation with collegiate and administrative units.  Risk assessments are performed on information assets, systems, processes, and controls, based on risk criticality. 

Collegiate and administrative units must identify all collections and uses of private data to University Information Security upon request, collaborate with the University CISO to complete information security risk assessments, and develop and implement a risk treatment plan.  Units must report updates to the risk treatment plan to the University CISO or designate. Units must share with University Information Security the results of risk assessments, and any associated risk treatment plans completed by parties other than University Information Security. 

Reason for Policy 

University data are valuable assets to the University of Missouri and require appropriate protection. A formal Information Security Risk Management (ISRM) program consistently identifies and tracks information security risks, implements plans for remediation, develops appropriate safeguards, and provides guidance for strategic resource planning. It is critical that the University administer a formal ISRM processes to facilitate compliance with applicable state and federal laws and regulations, ensure security and confidentiality of information, protect against anticipated threats or hazards to the security or integrity of such information, protect against unauthorized access to or use of such information, ensure availability of University of Missouri data, and enable informed decisions regarding risk tolerance and acceptance. 

Responsibilities 

Vice President for IT and MU Chief Information Officer (CIO) 

  • Sponsors the CISO to ensure the information security risk process is followed for university activities, processes, and projects. 

  • In collaboration with CISO consider and jointly accept residual risk and Information Security policy exceptions with Administrative and Academic Senior Leadership where assessed risk level is medium or high. 

University Chief Information Security Officer (CISO) 

  • Manage the Information Security Risk Management program and coordinate the development and maintenance of Information Security Risk Management policies, procedures, and standards. 

  • Ensure the information security program is developed based on risk assessments and has appropriate controls to address risks identified 

  • Approve residual risk assessments level and procedures. 

  • Report to the board at least annually. 

  • In collaboration with CIO consider and jointly accept residual risk and Information Security policy exceptions with Administrative and Academic Senior Leadership where assessed risk level is medium or high. 

UM System Information Security Council 

  • Provide executive-level oversight for elevated security risks identified by the information security risk management program. 

  • Consider and jointly accept residual risk and Information Security policy exceptions with University’s Vice President for Information Technology where assessed risk level is medium or high. 

Administrative and Academic Senior Leadership 

  • Participate in the Information Security Risk Management program, including identification of assets and services, allocation of resources, risk prioritization, risk acceptance, and implementation of risk treatment plan.  

Administrative and Collegiate Faculty and Staff 

  • Identify all collections and uses of private data and provide University Information Security upon request. 

  • Collaborate with the University Information Security Office to complete information security risk assessments. 

  • Develop and implement a risk treatment plan. 

  • Report updates on the risk treatment plan to the University CISO or designate. 

  • Submit exceptions to the Information Security Policy and work with University Information Security through the exceptions process. 

 University Information Technology Security Office 

  • Schedule and prioritize information security risk assessments. 

  • Request from administrative and collegiate faculty and staff information related to their collection and use of private data. 

  • Conduct information security risk assessments. 

  • Process and follow up on requested exceptions to the Information Security policy. 

Campus Information Security Officers 

  • Schedule and prioritize campus specific information security risk assessments. 

  • Conduct campus specific information security risk assessments. 

  • Process and follow up on campus specific requested exceptions to the Information Security policy. 

Related Information 

 Related Policies 

 Related Laws and Regulations 

Reviewed 2023-06-08

Sections