1 PURPOSEÂ
The goal of the ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û’s (×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û) Cybersecurity Risk Management Program is to ensure that cybersecurity risk across the University System and its component institutions is managed effectively in order to prevent adverse events from impacting the confidentiality, integrity, and availability of institutional information and information technology resources. While mitigation of risk should be considered for all cybersecurity risk, there are times when the optimal strategy for managing a risk is Risk Acceptance. This Standard defines the process and requirements for Cybersecurity Risk Acceptance at ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û and its component institutions.
2 SCOPE
This Standard applies to all cybersecurity risks.
3Ìý³§°Õ´¡±·¶Ù´¡¸é¶Ù
When a cybersecurity risk is identified that cannot or will not be mitigated, avoided, or transferred, the risk shall be accepted by the appropriate member of administrative, academic, or business unit leadership. Acceptance of risk is an acknowledgement that a risk and its potential to cause losses to ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û and/or its component institutions is understood and, with that understanding, affirmatively choosing not to mitigate, transfer, or avoid it, even if the probable frequency and/or probable magnitude of loss falls outside ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û’s risk tolerance or appetite. When risk is accepted, responsibility for possible losses resulting from accepting the risk belongs to the administrative, academic, or business unit accepting it.
This means that the administrative, academic, or business unit accepting the risk shall be responsible for direct and indirect costs incurred due to any cybersecurity incidents that the Chief Information Security Officer (CISO) determines are the result of accepting the risk.
Based on the level of non-mitigation and the severity of potential loss, additional sign off by different levels of senior management may be required. Risk Acceptance, even when approved by senior leadership of an administrative, academic, or business unit shall be subject to revocation by the Chief Information Officer (CIO) or the CISO at any time and may be subject to Internal Audit's annual follow-up procedures.
Risk acceptance shall be documented using the Cybersecurity Risk Acceptance Form, which Cybersecurity Governance, Risk, & Compliance (GRC) completes, with the assistance of the unit responsible for accepting the risk.
Acceptance of cybersecurity risk requires, at a minimum, the signature approval of the CISO and the leadership of the relevant administrative, academic, or business unit. Only senior leadership can accept risk on behalf of the University System or one of its component institutions.
At the discretion of the CISO or the CIO, additional levels of approval may be required in circumstances where the severity of the potential adverse impact requires visibility and acceptance of ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û or institutional executive leadership.
If the risk includes any institutional information with regulatory compliance obligations, the appropriate University System or institutional compliance authority shall also provide a signature approval.
Accepted risks shall be reviewed annually and if appropriate, the acceptance of that risk shall be renewed for another year.
Cybersecurity Governance, Risk, & Compliance (GRC) shall administer the Cybersecurity Risk Acceptance Process and is responsible for maintaining the pertinent records related to risk acceptance.
DOCUMENT HISTORY
Approved by:Â CHIEF INFORMATION SECURITY OFFICER, D STOCKMAN, 02 SEP 2020, V1 CYBERSECURITY POLICY & STANDARD WORKING GROUP, 15 SEPT 2022, V0.1
Reviewed by:Â CHIEF INFORMATION SECURITY OFFICER, D STOCKMAN, AUG/SEP 2020, V1 CYBERSECURITY POLICY & STANDARD WORKING GROUP, 15 SEPT 2022, V0.1
Revision History:Â REVIEW DRAFT FINALIZED, DR DAVID YASENCHOCK, 15 SEPT 2022, V0.1
Revised formatting, K SWEENEY, 30 MAY 2024