- Update the risk assessment based on changes which have occurred since the previous review.
- Evaluate the continuing applicability of current policies, guidelines, standards and procedures.
- Review periodically all non-compliance situations concerning security policy and practices.
- Determine the appropriate recourse for each non-compliance situation.
All University of Houston information assets, all security related policies and procedures and any non-compliance situation identified by the Information Security Officer or management regarding any existing security policy.Standard
At appropriate times, the Vice Chancellor/Vice President for Information Technology should review the updated risk assessment, proposed changes to policies and procedures and all non-compliance situations to assess the risk of each situation, and determine the appropriate recourse.Guidelines
- The Information Security Officer should conduct a periodic risk assessment review of the overall information systems environment, current policies, procedures, guidelines and standards and all incidents of non-compliance.
- The risk assessment should be reviewed annually or whenever significant systems changes are implemented.
- The revised risk assessment should be presented to the VC/VPIT for acceptance.
- The revised policies, etc., should be presented to the VC/VPIT for formal approval.
- Incidents of non-compliance should be brought to the attention of the VC/VPIT and one of two actions will be taken: