Information Security Risk Management

Standard number: DS-13
Date issued: 7/1/2018
Date last reviewed: 7/24/2023
Date of next review: 6/30/2025
Version: 2.0 (see overview of changes from v. 1.0)
Approval authority: Vice President for Information Technology and CIO
Responsible office: Information Assurance

This Standard supports and supplements the Information Security (SPG 601.27) policy. The Standard is mandatory and enforced in the same manner as the policy. It will be periodically reviewed and updated as necessary to meet emerging threats, changes in legal and regulatory requirements, and technological advances.

I. Overview

Management of institutional risk is a core component of U-M’s information security program. Given the size, scope, and complexity of university information systems and data assets, it is neither feasible nor desirable to equally protect all systems and assets. U-M has adopted the NIST Risk Management Framework as a guide to its institution-wide risk-based approach for assessing and prioritizing resource allocation for mitigating identified risks to systems and data.

Risk assessments can identify security gaps within a unit or information system, and play an important function in determining the overall information security posture of the unit or system. Risk assessments conducted across campus help in determining the university’s overarching information security profile, as well as identifying common risks and deficiencies.

Risk assessment and associated risk mitigation that exceed this Standard may be required by federal or state regulations (e.g., HIPAA, FISMA, GLBA) or industry standards (e.g., PCI), or contractual agreements.

II. Scope

This standard applies to the Ann Arbor campus, Michigan Medicine, UM-Dearborn, UM-Flint, all affiliates, and all faculty, staff, workforce members, and sponsored affiliates. Specifically it applies to:

  • Critical IT infrastructure, information systems, or other IT services hosted and controlled by any of the above that process or store data classified as Restricted, High, or Moderate, whether at the research project, unit, or enterprise level.

III. Roles and Responsibilities

  • Information System Owners (Unit Leadership/Business Owner/Service Owner): Information system owners are responsible for ensuring that those information systems and applications under their control that are deemed mission critical or that create, process, maintain, transmit, or store sensitive institutional data are assessed for risk based on data classification level; identified risks must be mitigated, transferred, or accepted, as stipulated below.
  • Chief Information Security Officer (CISO): The CISO establishes the baseline security controls for all units and information systems; provides a risk assessment to unit leadership and the Office of the CIO prior to acceptance by them of specific risks; and coordinates appeals for exception to this Standard.
  • Information Assurance (IA): IA is responsible for the development and maintenance of a standards-based risk assessment methodology (RECON-Risk Evaluation of Computers and Open Networks); conducts risk assessments for most units and information systems with Restricted or High data; providing risk mitigation support and guidance as needed. IA also educates unit and information systems staff on how to carry out a risk assessment using the RECON methodology.
  • Security Unit Liaison (SUL): Every university unit has an assigned Security Unit Liaison who is responsible for:
    • Assisting IA in the identification of sensitive or critical information assets within the unit and any unit-unique regulatory requirements;
    • Clarifying risk assessment scopes, in conjunction with IA Information Security Leads (ISL) where applicable, with relevant documentation, diagrams, knowledge base sites, etc.;
    • Assisting with providing access to systems for security reviews and control validation;
    • Ensuring risk assessments are performed and risk treatment plans implemented for unit-unique services or applications;
    • Facilitating post-assessment decisions and coordination of risk mitigation efforts.

IV. Standard

Information Security risk management is an ongoing lifecycle that includes the following steps:

Step 1: Categorize

Categorize the information system and the information and data processed, stored, and transmitted by that system based on sensitivity and risk of harm to individuals and the university if the information is subject to a breach or unauthorized disclosure.

All information systems that create, process, store, or transmit Restricted or High data must be assessed for risk to the university that results from threats to the integrity, availability and confidentiality of the data.

Within the NIST framework, security controls are added or removed based on the data classification level. The Restricted classification level is equivalent to the NIST Moderate control tier; these controls are selected by Information Assurance and included in the university’s RECON tool.

Step 2: Select

Select an initial set of baseline security controls based on the data classification levels described in Information Security Policy (SPG 601.27).

The control catalog outlined in the NIST document has been adapted for specific application to policies, procedures, and information technology environments at U-M. Based upon the sensitive data types being stored, processed or accessed within the environment, a related control template is used, (i.e. FISMA, HIPAA, CUI).

Step 3: Assess

Assess the extent to which security controls are correctly implemented, operating as intended, and producing the desired outcome.

The core elements of a risk assessment (RECON or other approved security assessment tool) include:

  • Scope of assessment
  • Current state of security control implementation
  • Documentation of identified threats, vulnerabilities, and risks associated with the system
  • Mitigation recommendations to reduce risks and threat potential to the system.

Risk assessments for systems or applications that create, store, process, or transmit Restricted or High level data are required to be conducted under the following circumstances, either by IA staff or other approved-by-IA qualified security professionals:

  • After a major architectural change to the service, and
  • Soon after a serious IT security incident is reported
  • When required by regulation or law.

Due to staffing constraints, IA may prioritize assessment schedules based upon data classification, institutional priorities, compliance requirements, or contractual obligations.

Risk assessments for non-mission critical systems or applications that create, store, process, maintain, or transmit Moderate or Low data will not be conducted by IA staff and may be done by unit staff utilizing the RECON or less rigorous security assessment methodology.

The chart below summarizes requirements for risk assessments by data classification level and mission criticality (Restricted and High are required regardless of criticality designation):

Data Classification Level/Mission Criticality Required or Recommended Risk Assessment Frequency Assessment Performed by
Restricted Required As defined by regulation IA or Unit IT
High Required As defined by regulation, after new system implementation, or after major system change IA or Unit IT
Moderate or Low/Critical Required After new system implementation, or after major system change Unit IT
Moderate or Low/Non-Critical Recommended After new system implementation, or after major system change Unit IT

Assessment Outcomes

  • The results of unit-conducted risk assessments, and any associated remediation plans, are required to be provided to IA.
  • Once a risk has been identified, units will work with IA to develop and implement risk mitigation actions and strategies to reduce the risk to acceptable levels. RECON Risk Treatment Plans (below) provide the structure for actively managing identified risks.
  • Risk assessments are considered IT security data classified as High and should be maintained as confidential records, made available only to designated staff or assessed units and others with job-related responsibilities, such as University Audits and Michigan Medicine Corporate Compliance.

Step 4: Implement

Implement the appropriate risk-reducing controls as identified by the risk assessment process.

A Risk Treatment Plan is provided as soon as possible after completing the risk assessment, within two weeks wherever possible. This is an action plan which requires the assessed area to review all security control recommendations and either: a) agree to mitigate as stated; or b) propose alternative or revision to specific control recommendation(s). Plans must be reviewed and accepted by unit leadership within two months after receipt of the plan.

Components of risk treatment plans include:

  • Description of security control recommendation
  • Primary staff responsibility for each recommendation
  • Estimated financial costs, time and staffing resources to carry out identified mitigation recommendations, including estimated start and completion dates
  • Metrics to evaluate progress and success.

In general, risks identified by a risk assessment and included in a Risk Treatment Plan must be mitigated or accepted on a priority basis within the following timeframes:

  • 60 days to create remediation plan,
  • 180 days to address findings, with time frames running concurrently.

Non-trivial changes to Plans, once adopted, must be documented and signed off on by unit leadership, principal investigator, or other appropriate senior official.

Identified risks must be addressed by one of the following:

  • Implementing identified control (information security risk mitigation);
  • Sharing or shifting the risk to another party (information security risk transference); or
  • Assuming or accepting the identified risk (information security risk acceptance).

Note: For compliance-based RECONs, compliance approval is not provided until all the risk treatment plan items are complete and the compliance owner has provided approval.

Step 5: Evaluate

Evaluate that an identified but unmitigated risk is acceptable.

Risks are quantitatively and qualitatively expressed in the RECON tool as Severe, High, Medium, Low and Very Low.

In general, U-M units and individuals may not unilaterally accept information security and compliance risk that results in the greater university’s vulnerability to cyber risks. Specifically:

  • Residual high and severe risks identified in risk assessments but not mitigated in an established timeframe may only be accepted on behalf of the university by unit leadership with the acknowledgement of the Office of the CIO.
  • Approval authority may be delegated if documented in writing, but ultimate responsibility for risk acceptance on behalf of the university cannot be delegated.

Step 6: Monitor and Follow-up

IA will follow up with units on an ongoing basis to ensure and track progress of open Risk Treatment Plan items.

V. Violations and Sanctions

Violations of this Standard may result in disciplinary action up to and including suspension or revocation of computer accounts and access to networks, non-reappointment, discharge, dismissal, and/or legal action. In addition, the connectivity of machines and servers to the U-M network that do not comply with this Standard may be limited or disconnected.

Discipline (SPG 201.12) provides for staff member disciplinary procedures and sanctions. Violations of this policy by faculty may result in appropriate sanction or disciplinary action consistent with applicable university procedures. If dismissal or demotion of qualified faculty is proposed, the matter will be addressed in accordance with the procedures set forth in Regents Bylaw 5.09. In addition to U-M disciplinary actions, individuals may be personally subject to criminal or civil prosecution and sanctions if they engage in unlawful behavior related to applicable federal and state laws.

Any U-M department or unit found to have violated this Standard may be held accountable for the financial penalties, legal fees, and other remediation costs associated with a resulting information security incident and other regulatory non-compliance.

VI. Implementation

Information Assurance is responsible for the implementation, maintenance and interpretation of this Standard. Supporting guidance for units is available on the Safe Computing website at Information Security Risk Management.

VII. References

NIST SP 800-30, Revision 1: Guide for Conducting Risk Assessments

VIII. Related NIST Security Controls