Skip to content

Explainer: Information Security Risk Management Rule (4-004B)

The University of Utah’s Information Security Risk Management Rule (4-004B) supports Information Security Policy (4-004). The U’s IT security policy, rules, and guidelines aim to protect the university’s IT resources, systems, and data, including that of students, faculty, staff, guests, patients, vendors, and more.

What does it say?

Rule 4-004B establishes the U’s information security risk management program. It outlines how the university will secure IT systems that interact with university data and provides guidance on how to assess, prepare for, and handle information security risks.

Some items covered in the rule:

  • Methodology
  • Risk assessments for IT systems
    • The five vectors used to assess the likelihood and impact of a compromise
    • The scoring system for inherent and residual risks
  • Stakeholder responsibilities

Why should I care?

The U’s information security risk management program helps to protect university data and devices — and yours, too — from threat actors and IT security incidents.

IT security incidents are costly, both financially and personally. They can lead to identity theft, damaged reputation, fines and/or penalties, operational disruption, compromised devices, lost time, downtime, data loss or manipulation, and service interruptions. The university and its community members are especially at risk of cybercrime because the U is a public university, research institution, and health care organization, all of which handle large amounts of confidential data.

Who does it apply to?

Although the rule is most relevant to university administrators, employees in IT roles, and organizations that use internal or external IT systems and resources, it impacts all university users.

Up next month in the October Node 4 newsletter — Rule 4-004C: Data Classification and Encryption

Share this article:

 

Last Updated: 4/8/24