Information Security Risk Management

Risk management is the process of identifying, assessing, and limiting threats to the university’s most important information systems and data. U-M has diverse information assets, each with variable threats, vulnerabilities, and risk tolerances that together create unique challenges for security. It is neither desirable nor feasible to protect all systems and data equally. The risk management program is designed to provide information and tools to aid decision making around risk mitigation, risk acceptance, and allocation of resources.

The Information Security Risk Management Standard (DS-13) supplements and supports the Information Security (SPG 601.27) policy, and applies to the Ann Arbor, Dearborn, and Flint campuses, and Michigan Medicine. It covers all U-M owned and managed IT infrastructure, systems, or services that create, process, maintain, or store university data classified as Restricted, High, Moderate, or Low as defined by the U-M Data Classification Levels

All U-M units are responsible for complying with this standard and the guidance on this page helps meet that responsibility.

When Risk Assessments Are Required

Third-party service providers and cloud-based services are generally required to do some form of risk assessment and risk management as part of their contractual relationship with U-M.

Risk assessments are required by some laws and regulations (HIPAA, FISMA, etc). Risk assessments should also be triggered by new system implementations, or major infrastructure, technology, and service changes, such as upgrades of architecture, functionality, and/or processes, that affect security controls.

Risk Management Areas of Focus

U-M has adopted the NIST Risk Management Framework as its foundation for institutional information security risk management. Using evidence and experience-based findings from risk assessments, the ITS Information Assurance (IA) team has identified four areas of focus related to the vulnerabilities that are most commonly seen in our environments: Configuration Management, Logging, Access and Accounts, and Patching, or CLAP. When properly addressed, these areas set the foundation for good operational security practices.

Configuration Management: Using a hardened profile from the beginning of a system or application lifecycle ensures unnecessary services and configurations are not deployed. Note that retrofitting a hardened profile to systems and applications already in production is more difficult and costly. For additional information please refer to the Hardening for U-M Systems page. 
Logging: Auditing logs is an important part of identifying system and security issues. Reviewing your logs on a regular basis is a best practice. For additional information please refer to the Logging Configuration for U-M Systems page.
Accounts and Access: Account life cycle issues are one of the most common risk assessment findings. A review of accounts and access on a regular basis is a best practice. For additional information please refer to the Accounts & Access page.
Patching: Vulnerability management through regular patching is a critical component of the university’s information security program, and is essential to mitigate financial, reputational, and regulatory risks. For additional information please refer to the Vulnerability Management page, along with the Vulnerability Management Data Standard (DS-21).

For additional common Risk Analysis and information on common controls, please refer to the IT Security Risk Analysis (RECON) page. If you have questions or need additional guidance on risk management at U-M, contact IA through the ITS Service Center.