Body
| |
|
| Issued Under Authority of |
UM Information Security Policy |
| Responsible Office |
UM Information Security Office |
| Category |
Governance and Risk Management |
IN PLAIN LANGUAGE
Managing security risk is not just an IT function — it's a shared institutional responsibility. This standard establishes how the University identifies, assesses, and responds to information security risks across systems, services, and projects. When a risk is identified, it must be evaluated for its likelihood and potential impact, and then addressed through mitigation, acceptance, avoidance, or transfer. Risk acceptance decisions must be formally documented and approved by the right people. Risks don't stay static — they must be monitored over time and reassessed when circumstances change.
1. Purpose
The purpose of this Standard is to establish a consistent, risk-based approach for identifying, assessing, responding to, and monitoring information security risks across the University of Montana. Effective risk management enables informed decision-making, prioritization of resources, and responsible stewardship of University Data and information systems.
This Standard supports the University's Information Security Program and aligns with the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) 2.0.
2. Scope
This Standard applies to:
- Information systems, applications, and services that store, process, or transmit digital University Data
- Technology projects, system changes, and new implementations
- Third-party systems and services used for University business
- Centrally managed and distributed IT environments across all University of Montana System campuses
3. Risk Management Principles
Information security risk management at the University is guided by the following principles:
Risk-based decision-making — Security controls and investments are prioritized based on risk.
Shared responsibility — Risk ownership resides with business and system owners, supported by Information Security.
Transparency — Risk decisions are documented and reviewable.
Proportionality — Risk responses are commensurate with potential impact and likelihood.
4. Risk Identification
- Information security risks must be identified for systems, services, and processes
- Risks may arise from threats, vulnerabilities, system changes, or third-party relationships
- Risk identification must consider confidentiality, integrity, and availability impacts
5. Risk Assessment
Identified risks must be assessed for likelihood and potential impact. Risk assessments must be conducted:
- For new systems or services
- When significant changes occur
- In response to significant vulnerabilities or incidents
Assessment methodologies may vary but must be documented and repeatable.
6. Risk Response
The University must respond to identified risks using one or more of the following strategies:
Mitigation — Implementing controls to reduce risk.
Acceptance — Formally accepting residual risk with documented approval.
Avoidance — Discontinuing or modifying activities to eliminate risk.
Transfer — Sharing risk through contractual or other mechanisms.
Risk acceptance decisions must be documented and approved by appropriate authorities.
7. Risk Monitoring and Review
- Risks and risk responses must be monitored over time
- Changes in threat environment, system use, or controls may require reassessment
- Significant or material risks must be escalated to executive leadership
8. Integration with Other Standards
This Standard both supports and is supported by other Information Security Standards.
- Risk management informs control selection in security standards
- Security standards provide the control framework for risk mitigation
- Exception requests must be evaluated within the context of risk
9. Exceptions
Exceptions to this Standard must:
- Be documented with justification
- Be approved by the CISO or designee
- Be reviewed periodically
10. Review and Maintenance
This Standard must be reviewed at least annually and updated as necessary to reflect changes in risk, technology, or institutional requirements.
11. References
- UM Information Security Policy
- UM Incident Response Standard
- UM Audit Log Management Standard
- UM IT Asset Management Standard
- NIST Cybersecurity Framework (CSF) 2.0