Explainer: Information Security Risk Management Rule (4-004B)
The University of Utah’s Information Security Risk Management Rule (4-004B) supports Information Security Policy (4-004). The U’s IT security policy, rules, and guidelines aim to protect the university’s IT resources, systems, and data, including that of students, faculty, staff, guests, patients, vendors, and more.
What does it say?
Rule 4-004B establishes the U’s information security risk management program. It outlines how the university will secure IT systems that interact with university data and provides guidance on how to assess, prepare for, and handle information security risks.
Some items covered in the rule:
- Methodology
- The rule, which is based on the National Institute of Standards and Technology’s (NIST) guide for conducting risk assessments, uses numerous government and industry IT control frameworks to manage risk. A control framework is a set of defined IT security protocols designed to protect the confidentiality, integrity, and availability of IT systems and their information.
- Risk assessments for IT systems
- The five vectors used to assess the likelihood and impact of a compromise
- The scoring system for inherent and residual risks
- Stakeholder responsibilities
Why should I care?
The U’s information security risk management program helps to protect university data and devices — and yours, too — from threat actors and IT security incidents.
IT security incidents are costly, both financially and personally. They can lead to identity theft, damaged reputation, fines and/or penalties, operational disruption, compromised devices, lost time, downtime, data loss or manipulation, and service interruptions. The university and its community members are especially at risk of cybercrime because the U is a public university, research institution, and health care organization, all of which handle large amounts of confidential data.
Who does it apply to?
Although the rule is most relevant to university administrators, employees in IT roles, and organizations that use internal or external IT systems and resources, it impacts all university users.
Up next month in the October Node 4 newsletter — Rule 4-004C: Data Classification and Encryption
Node 4
Our monthly newsletter includes news from UIT and other campus/ University of Utah Health IT organizations, features about UIT employees, IT governance news, and various announcements and updates.