Risk Level (filled in by UC InfoSec)
Department: RAF#
Information Security
University of Cincinnati
Mail Drop 0149
(513) 556-0803
Risk Acceptance Form (RAF) – Vulnerability Assessments
Name and title of Originator:
Summary of Request:
Overview of Service Impacted:
Benefits of Accepting This Risk:
Summary of How Doing This Will Put UC at Risk:
(By putting the solution in place as is what Risk does this cause to UC? If there are known vulnerabilities left in place by implementing
This solution list them here.)
Summary of Information Security Controls:
(Describe the technical and procedural controls implemented to address the vulnerabilities and risks above. How are you going to
Minimize or mitigate the risk this solution causes? If you are not putting any controls in place simply say “None”.
Are Security controls documented? ( Y / N ) If so where can the documentation be found?
After Controls what is the remaining Risk and what is the Risk Level:
(Describe the type and magnitude of remaining vulnerabilities and risks after controls have been implemented.)
UC InfoSec Form 40 Official Use Only Version 1.1, 3/31/09
Risk Acceptance Request:
The service, application or business owner is seeking a risk acceptance decision for the following
deployment scope and duration. If externally sourced, basic information on the contract is provided.
I have reviewed this Security Risk Summary content. I agree that the business benefit and outstanding
risk have been adequately identified and are documented accurately. My Director/VP is aware of this
request.
Signed by: , Service or Business Owner Signature Date:
Security Risk Decision Documentation:
(check decision, fill in relevant information and sign.)
No. I find the residual risk greater than the potential business benefit. This risk acceptance request
is denied.
Yes, with reduced Scope. I accept responsibility for the outstanding risk related to the deployment
provided use is reduced and limited per comments below:
Yes for temporary period while controls are improved. I accept responsibility for the outstanding
risks related to the deployment and use of this application or service; however, I find the current
level of control inadequate. I would like work to begin to improve controls as noted below.
List Scope and timing constraints and/or Controls requested:
I would like to be informed of progress via Monthly/Quarterly Status Reports/Meetings (circle selection)
Unqualified Yes. I understand and accept responsibility for the outstanding risk related to the
deployment and use of this application or service for the requested scope and timeframe. I find the
current controls adequate, additional controls need not be applied.
Date of Next Review: (at least annual)
UC InfoSec Form 40 Official Use Only Version 1.0, 3/05/07
Information Security risks to the business and potential benefits were clearly explained. My risk decision
is made on behalf of the University of Cincinnati and is documented appropriately above.
Signed by: Signature Date:
Name: Kevin L. McLaughlin, MS; CISSP; CISM, GIAC
Title: Assistant Vice President for Information Security & Special Projects
Department: UC Information Security
Due to the potential risk and/or business impact related to this request I have deemed that this risk
needs to be reviewed and approved or denied by a University Executive officer (CIO or President).
Yes this Risk needs further review. No, this Risk needs no further review.
Signed by: Signature Date:
(Print) Name: Michael Lieberman, PhD Title: Intermin Vice President CIO
Department: UCit
UC InfoSec Form 40 Official Use Only Version 1.0, 3/05/07
Appendix A
Terms
Acceptable risk - A term used to describe the minimum acceptable risk that an organization is
willing to take.
Countermeasure or safeguards - Controls, processes, procedures, or security systems that help
to mitigate potential risk.
Exposure - When an asset is vulnerable to damage or losses from a threat.
Exposure factor - A value calculated by determining the percentage of loss to a specific asset
because of a specific threat.
Residual risk - The risk that remains after security controls and security countermeasures have
been implemented.
Risk management - The process of reducing risk to assets by identifying and eliminating threats
through the deployment of security controls and security countermeasures.
Risk analysis - The process of identifying the severity of potential risks, identifying
vulnerabilities, and assigning a priority to each. This may be done in preparation for the
implementation of security countermeasures designed to mitigate high-priority risks.
Criticality Matrix
Most Critical Critical Least Critical
Highest level of Moderate level of Very low, but still
sensitivity sensitivity requiring some protection
Legal Requirements Protection of data is The institution has a
required by law (e.g., contractual obligation
HIPAA and FERPA data to protect the data
elements and other (e.g., bibliographic
personal identifying citation data, bulk
information protected licensed software)
by law)
Reputation Risk High Medium Low
Other Institutional Risks Information that Smaller subsets of
provides access to Most Critical data
resources, physical or from a school, large
virtual part of a school, or
department
Data Examples Medical Information Campus maps
Student resources with Personal
Prospective access to Most directory data
student Critical data (e.g., contact
Personnel Research detail information)
Donor or or results that E-mail
prospect are not Most Institutionally
Financial Critical published public
Contracts Library data
Physical plant transactions
UC InfoSec Form 40 Official Use Only Version 1.0, 3/05/07
detail (e.g., catalog,
Credit card circulation,
numbers acquisitions)
Certain Financial
management transactions
information that do not
include Most
Critical data
(e.g., telephone
billing)
Very small
subsets of Most
Critical data
The Risk Matrix
To determine the degree of urgency attached to a given situation, refer to this table.
Impact
The Risk Matrix
High Medium Low
High A B C
Probability Medium A B C
Low B C C
Risk Assessment
The UC Office of Information Security will assist with Risk Assessment upon request.
UC InfoSec Form 40 Official Use Only Version 1.0, 3/05/07