Effective Date: October, 2013
As provided in the Columbia University Information Security Charter (the “Charter”) [http://policylibrary.columbia.edu/information-security-charter], the University is charged with protecting the confidentiality, integrity and availability of its Information Resources (as defined in the Charter). To accomplish this task, a formal Information Security Risk Management Program has been established as a component of the University’s Information Security Program (as defined in the Charter) to ensure that the University is operating with an acceptable level of risk. The Information Security Risk Management Program is described in this Policy.
A PDF of this policy is also available to the right.
Capitalized terms used herein without definition are defined in the Charter.
II. Policy History
The effective date of this Policy is November 1, 2013. This policy replaces the CUMC Policy, EPHI1- Information Security Management Process, dated November 2007.
III. Policy Text
Information Security Risk Management covers all of the University’s Information Resources, whether
managed or hosted internally or externally. Executive Managers, System Owners, Data Owners and IT Custodians are
responsible for working with the applicable Information Security Office to implement the Information Security Risk Management Program, including remediation of identified risks in a timely manner.
The Information Security Risk Management Program is comprised of the following processes:
A. Information Resources Risk Categorization
All Information Resources that store, process or transmit Data are included in the Information Security Risk Management Program. Information Resources are categorized based on their function, threat exposure, vulnerabilities and Data type pursuant to the Information Security Policies. The categorization process takes into account the following elements:
Resources to address risks are allocated according to the identified risks.
B. Security Control Selection
The appropriate security controls to mitigate identified risks are selected based on the nature, feasibility and cost effectiveness of the controls. The University has selected elements from the following security control frameworks to use as part of its Information Security Risk Management Program:
All Systems and Endpoints must meet the baseline requirements as defined in the Columbia University Registration and Protection of Systems Policy http://policylibrary.columbia.edu/registration-and-protection-systems-policy
or the Columbia University Registration and Protection of Endpoints Policy http://policylibrary.columbia.edu/registration-and-protection-endpoints-policy. Additional controls will be evaluated based on the framework defined above and applied based on risk analysis.
C. Risk Analysis
A documented risk analysis process is used as the basis for the identification, definition and prioritization of risks. The risk analysis process includes the following:
The risk analysis process is updated when environmental, operational or technical changes arise that impact the confidentiality, integrity or availability of Information Resources. Such changes include:
When security measures for an Information Resource do not meet a security standard, risks are identified and expressed. Three factors are considered when determining the risk:
Risks are qualitatively expressed as Critical, High, Medium, Low and Minimal. For purposes of this Policy, Critical, High,
Medium, Low and Minimal Risks are defined as follows:
The strategies for risk remediation are proportionate to the risks to the Information Resource. The selected and implemented risk management measures reasonably protect the confidentiality, integrity and availability of Information Resources and the risk is managed on a continuous basis. One or more of the following methods are used to manage risk:
A Low or Minimal Risk may be accepted by an Executive Manager with appropriate documentation and periodic review. If a previously accepted risk is realized in a real incident, the risk analysis and management are repeated with the new information, and re-addressed with greater sensitivity and urgency based on the nature and extent of the incident.
The results of Risk Analysis and Risk Remediation are documented and reviewed by Executive Managers, the applicable Information Security Office, System Owners, Data Owners and IT Custodians. Monitoring processes are used to evaluate:
The frequency of risk monitoring will be based on:
IV. Cross References to
The Information Security Policies referred to in this Policy are listed on Appendix A hereto.
Information Security Charter
Registration and Protection of Endpoints Policy
Registration and Protection of Systems Policy