Risk Management
Definition
Risk refers to the possibility of loss to confidentiality, integrity, and availability to CSUN assets. Risk is calculated using two factors: likelihood of a vulnerability being taken advantage of, and the impact on CSUN. Risk Management refers to the entire process from identifying and evaluating, to prioritizing, implementing, and monitoring the mitigations.
Department Responsibility
The departments are responsible for notifying Information Security of any major projects and application procurements where CSUN Level 1 and 2 data is stored, accessed, or processed.
Information Security Responsibility
The Information Security team is responsible for performing risk assessments and providing information on required mitigations in order to comply with the CSU and CSUN Policies.
When is a Risk Assessment required?
The Information Security team performs three types of risk assessments:
- Vendor Procurements: A risk assessment is required when a cloud-based vendor or application is being procured, and where access to CSUN Level 1 and 2 data is granted. This includes hiring consulting services and purchases made using Procurement cards (Pcard).
- Internal Risk Assessment: Information Security performs a risk assessment for the campus departments and colleges. This type of risk assessment focuses on Level 1 and 2 data processes in the department. This is to be performed every 2 years in order to identify gaps between CSU and CSUN Policy, and current department practices.
- Project and Process: Information Security will perform a risk assessment when a department has undertaken a major project that involves the use of CSUN Level 1 and 2 data. For Example: migration from on-premise to cloud.
Risk Management Process
Notification/Request: The department must notify Information Security of any procurements and major project undertaking. It is highly recommended that the department notify Information Security when it is in the research phase. Waiting until the last minute can delay the process.
Information Gathering: The Information Security team will request information from the vendor and/or the department. If procurement, one of the following documents is required from the vendor:
- Higher Education Cloud Vendor Assessment Tool (HECVAT)
- SOC 2 Type II audit report
- Cloud Security Alliance Consensus Assessment Initiative Questionnaire (CSA CAIQ)
Assessment Draft: Information Security will draft a risk assessment document. The document highlights the risks, and mitigations to reduce that risk to an acceptable level. The department MPP must sign-off on the risk assessment and mitigations.
Assessment Review: Once the draft is completed, Information Security will share the draft with the appropriate department staff for a review. This is an opportunity for departments to correct any inaccurate information on the risk assessment as well as discuss mitigations and the plan to implement them.
Assessment Sign-Off: Once both Information Security and the department agree upon the risk assessment draft and the mitigations, the final version will be sent out to the department MPP via Adobe Sign for signatures.
Risk Mitigation: The appropriate departments, as noted on the risk assessment document, is now responsible for implementing the mitigations. The department may reach out to Information Security requesting clarification or assistance for implementing the mitigations. Information Security will follow up with the department requesting a status on mitigations. Once all mitigations are implemented, the risk assessment is closed.
Risk Exception
In situations where a required mitigation cannot be implemented for a variety of reasons, a risk exception document will be created. This document is similar to a risk assessment document. A risk exception document requires a signature from both the department MPP and Vice President of the division.
- For procurements where CSUN Level 1 and 2 data is involved, the Purchasing and Contracts Administration must include CSU Information Security Supplementals (DOCX).
- Cloud-based applications must use Single Sign-On (SSO), if available. In the case where the application does not support SSO, the administrators of the application must make sure that the users use their CSUN email address for account creation and that account password meets CSUN Password Standards and Guidelines (PDF).
- Departments must create a document to maintain and track user access to all cloud-based applications where Level 1 and 2 data is stored. This must be completed annually.
- Departments must annually go through its record in filing cabinets and any cloud-based applications to ensure that records are not stored outside of retention schedule as required by the CSU Records Retention and Disposition Schedule.