Risk Assessment

Purpose
  1. Update the risk assessment based on changes which have occurred since the previous review.
  2. Evaluate the continuing applicability of current policies, guidelines, standards and procedures.
  3. Review periodically all non-compliance situations concerning security policy and practices.
  4. Determine the appropriate recourse for each non-compliance situation.
Scope

All University of Houston information assets, all security related policies and procedures and any non-compliance situation identified by the Information Security Officer or management regarding any existing security policy.

Standard

At appropriate times, the Vice Chancellor/Vice President for Information Technology should review the updated risk assessment, proposed changes to policies and procedures and all non-compliance situations to assess the risk of each situation, and determine the appropriate recourse.

Guidelines
  1. The Information Security Officer should conduct a periodic risk assessment review of the overall information systems environment, current policies, procedures, guidelines and standards and all incidents of non-compliance.
  2. The risk assessment should be reviewed annually or whenever significant systems changes are implemented.
  3. The revised risk assessment should be presented to the VC/VPIT for acceptance.
  4. The revised policies, etc., should be presented to the VC/VPIT for formal approval.
  5. Incidents of non-compliance should be brought to the attention of the VC/VPIT and one of two actions will be taken: