Risk management is the process of identifying, assessing, and limiting threats to the university’s most important information systems and data. U-M has diverse information assets, each with variable threats, vulnerabilities, and risk tolerances that together create unique challenges for security. It is neither desirable nor feasible to protect all systems and data equally. The risk management program is designed to provide information and tools to aid decision making around risk mitigation, risk acceptance, and allocation of resources.
The Information Security Risk Management Standard (DS-13) supplements and supports the Information Security (SPG 601.27) policy, and applies to the Ann Arbor, Dearborn, and Flint campuses, and Michigan Medicine. It covers all U-M owned and managed IT infrastructure, systems, or services that create, process, maintain, or store university data classified as Restricted, High, Moderate, or Low as defined by the U-M Data Classification Levels.
All U-M units are responsible for complying with this standard and the guidance on this page helps meet that responsibility.
When Risk Assessments Are Required
Third-party service providers and cloud-based services are generally required to do some form of risk assessment and risk management as part of their contractual relationship with U-M.
Risk assessments are required by some laws and regulations (HIPAA, FISMA, etc). Risk assessments should also be triggered by new system implementations, or major infrastructure, technology, and service changes, such as upgrades of architecture, functionality, and/or processes, that affect security controls.
Risk Management Areas of Focus
U-M has adopted the NIST Risk Management Framework as its foundation for institutional information security risk management. Using evidence and experience-based findings from risk assessments, the ITS Information Assurance (IA) team has identified four areas of focus related to the vulnerabilities that are most commonly seen in our environments: Configuration Management, Logging, Access and Accounts, and Patching, or CLAP. When properly addressed, these areas set the foundation for good operational security practices.
For additional common Risk Analysis and information on common controls, please refer to the IT Security Risk Analysis (RECON) page. If you have questions or need additional guidance on risk management at U-M, contact IA through the ITS Service Center.