Security Procedure: Risk and Vulnerability Assessments
The procedure describes a framework for the assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic and paper data held by units of the University and outlines those items normally assessed in a University conducted Risk and Vulnerability Assessment.
This procedure applies to all units connected to the University network. The selection of units shall be prioritized by the Information Security Officer based on regulatory requirements, and identification of need due to business activities.
General Policy Provisions
The University utilizes a modified version of the OCTAVE methodology for assessing risks to information systems. The following items shall be assessed on a regular basis in all units covered by this policy for their technology environment.
- Survey of administrative security measures
- Security awareness training
- Security Strategy
- Security Management
- Security Policies
- Collaborative security management
- Contingency planning/Disaster recovery
- Physical security
- Authentication and authorization
- Incident management
- General staff practices
- Information management
- Assessment of information management practice
- Inventory of information systems
For HIPAA covered components, the above items will be augmented by an enhanced comprehensive risk assessment to include business practices.
Units in violation of this policy are subject to the loss of network access privileges and potential disciplinary action for appropriate personnel.
Office of the Chief Information Officer
1001 Sunnyside Avenue
Lawrence, KS 66045
01/26/2022: Updated the contact section.
02/24/2015: Updated to reflect current practice.