• Home
  • Security Procedure: Risk and Vulnerability Assessments

Security Procedure: Risk and Vulnerability Assessments

Procedure
Purpose: 

The procedure describes a framework for the assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic and paper data held by units of the University and outlines those items normally assessed in a University conducted Risk and Vulnerability Assessment.

Applies to: 

This procedure applies to all units connected to the University network. The selection of units shall be prioritized by the Information Security Officer based on regulatory requirements, and identification of need due to business activities.

Campus: 
Lawrence
Edwards
Parsons
Juniper Gardens
Yoder
Topeka
Policy Statement: 

General Policy Provisions

The University utilizes a modified version of the OCTAVE methodology for assessing risks to information systems. The following items shall be assessed on a regular basis in all units covered by this policy for their technology environment.

  1. Survey of administrative security measures
    1. Security awareness training
    2. Security Strategy
    3. Security Management
    4. Security Policies
    5. Collaborative security management
    6. Contingency planning/Disaster recovery
    7. Physical security
    8. Authentication and authorization
    9. Incident management
    10. General staff practices
    11. Information management
  2. Assessment of information management practice
  3. Inventory of information systems

For HIPAA covered components, the above items will be augmented by an enhanced comprehensive risk assessment to include business practices.

Consequences: 

Units in violation of this policy are subject to the loss of network access privileges and potential disciplinary action for appropriate personnel.

Contact: 

Chief Information Officer
345 Strong Hall
1450 Jayhawk Blvd
Lawrence, KS 66045
(785) 864-4999

kucio@ku.edu

Approved by: 
Chief Information Officer
Approved on: 
Friday, April 1, 2005
Effective on: 
Saturday, April 2, 2005
Review Cycle: 
Annual (As Needed)
Keywords: 
risk assessment, vulnerability, compliance, RVA
Review, Approval & Change History: 

Updated 2/24/15 to reflect current practice.

Information Access & Technology Categories: 
Privacy & Security

Can't Find What You're Looking For?
Policy Library Search
KU Today
One of 34 U.S. public institutions in the prestigious Association of American Universities
Nearly $290 million in financial aid annually
44 nationally ranked graduate programs.
—U.S. News & World Report
Top 50 nationwide for size of library collection.
—ALA
23rd nationwide for service to veterans —"Best for Vets," Military Times