Information Security Risk Management

Risk Management Overview & Scope

Risk management is the process of identifying, assessing, and limiting threats to the university’s most important information systems and data. U-M has a wide-ranging diversity of information assets, including regulated data, personally identifiable information, and intellectual property. Campus units, research programs, and clinical care settings sometimes have unique risks, along with variable threats, vulnerabilities, and risk tolerance. It is neither desirable nor feasible to protect all systems and data equally. The risk management program is designed to provide information and tools to inform decision making around risk mitigation, risk acceptance, and the allocation of resources.

The Information Security Risk Management Standard (DS-13) supplements and supports the Information Security (SPG 601.27) policy, and applies to the Ann Arbor, Dearborn, and Flint campuses, and Michigan Medicine. It covers all UM-owned and managed IT infrastructure, systems, or services that create, process, maintain, or store sensitive university data classified as Restricted, High, Moderate, or Low as defined by the U-M Data Classification Levels. Third party service providers and cloud-based services are generally required to do some form of risk assessment and risk management as part of their contractual relationship with U-M.

Risk Management Steps

U-M has adopted the NIST Risk Management Framework as its foundation for institutional information security risk management. The risk management process includes the following steps, which should be carried out in an ongoing lifecycle:

  1. Categorize. Classify the information system and/or data it creates, stores, processes or transmits based on sensitivity and risk to individuals or the university if there is a breach or unauthorized disclosure. Consider both the Data Classification of the data itself, and whether or not systems meet the criteria of Mission Critical Systems & Applications
  2. Select. Choose a set of security controls to apply based on the categorization of the systems and/or data. Information Assurance (IA) has built controls from the NIST Risk Management Security Controls into the risk analysis (RECON) process. U-M units using RECON do not need to do this for themselves. 
  3. Assess. Use RECON, the U-M risk assessment process, or a similar approved process, to assess the security of your system. Risk assessments are the primary tool that helps to determine security gaps or deficiencies that need to be addressed. All systems and applications  that store or process sensitive university data classified as Restricted or High must be assessed by IA or an IA-approved professional. 
  4. Implement. Apply the risk mitigation controls identified in the assessment. This may include following a formal Risk Treatment Plan. 
  5. Authorize. Identify and authorize unmitigated risks. Risks assessed to be High or Severe under the risk assessment can only be accepted on behalf of U-M by senior unit leadership in consultation with the Chief Information Security Officer or a delegated authority. 
  6. Monitor and Follow Up. Follow up on an ongoing basis to ensure and track progress of open Risk Treatment Plan items. IA works with unit staff members as needed on this. 

Risk Management Roles & Responsibilities

Identifying, understanding, and accepting risks to information systems, applications, and data is a shared responsibility.

  • Information System Owners (unit leadership/business owner/service owner). System owners are responsible for ensuring that systems and applications under their control have risk assessments done, that identified risks are addressed appropriately, or that such risks have been accepted .
  • Office of the Chief Information Security Officer (CISO). The CISO establishes the baseline security controls and acceptable risk levels for all units and environments. The CISO also coordinates all appeals for exceptions from the Risk Management standard.
  • Information Assurance (IA). IA developed and maintains a standards-based risk assessment methodology (RECON-Risk Evaluation of Computers and Open Networks), and conducts risk assessments for most units and information systems with data classified as Restricted or High. IA also provides risk mitigation support and educates unit and IT staff on risk assessment processes.
  • Security Unit Liaison (SUL). Every unit, school, or college has a staff member designated as a Security Unit Liaison. An SUL assists IA in identifying the unique IT security needs of each unit, helps provide information to set risk assessment scope, assists with obtaining physical and systems access for security reviews and validation, and helps facilitate decision making and mitigation plan implementation. 

Applicable University Policies

You are responsible for complying with the policies and standards below. The requirements on this page help you meet that responsibility.