UC Letterhead - DOC 3 by n6csJ6

VIEWS: 17 PAGES: 5

									                                                       Risk Level (filled in by UC OIS)
Department:                                                                                                          RAF#

                                                                                                                     Office of Information Security
                                                                                                                     University of Cincinnati
                                                                                                                     Mail Drop 0149
                                                                                                                     (513) 556-0803


                       Risk Acceptance Form (RAF) – Vulnerability Assessments

Name and title of Originator:

Summary of Request:




Overview of Service Impacted:




Benefits of Accepting This Risk:




Summary of How Doing This Will Put UC at Risk:
(By putting the solution in place as is what Risk does this cause to UC? If there are known vulnerabilities left in place by implementing
this solution list them here.)




Summary of Information Security Controls:
(Describe the technical and procedural controls implemented to address the vulnerabilities and risks above. How are you going to
Minimize or mitigate the risk this solution causes? If you are not putting any controls in place simply say “None”.




     Are Security controls documented? ( Y / N ) If so where can the documentation be found?

After Controls what is the remaining Risk and what is the Risk Level:
(Describe the type and magnitude of remaining vulnerabilities and risks after controls have been implemented.)




UC InfoSec Form 40.b                                          Official Use Only                                   Version 4.0, 07/26/2012
This part to be filled out by UC OIS: What is the assessed Risk Level Associated with this RAF?




Risk Acceptance Request:
The service, application or business owner is seeking a risk acceptance decision for the following
deployment scope and duration. If externally sourced, basic information on the contract is provided.

I have reviewed this Security Risk Summary content. I agree that the business benefit and outstanding risk
have been adequately identified and are documented accurately. My Director/VP is aware of this
request.

Signed by:                                                            , Service or Business Owner Signature Date:

Security Risk Decision Documentation:
(check decision, fill in relevant information and sign.)

 No. I find the residual risk greater than the potential business benefit. This risk acceptance request is
  denied.
 Yes, with reduced Scope. I accept responsibility for the outstanding risk related to the deployment
  provided use is reduced and limited per comments below:
 Yes for temporary period while controls are improved. I accept responsibility for the outstanding
  risks related to the deployment and use of this application or service; however, I find the current level
  of control inadequate. I would like work to begin to improve controls as noted below.
List Scope and timing constraints and/or Controls requested:



 Unqualified Yes. I understand and accept responsibility for the outstanding risk related to the
  deployment and use of this application or service for the requested scope and timeframe. I find the
  current controls adequate, additional controls need not be applied.


Date of Next Review:                          (at least annual)




UC InfoSec Form 40.b                                              Official Use Only                     Version 4.0, 07/26/2012
Information Security risks to the business and potential benefits were clearly explained.


Signed by:                                                         Signature Date:
Name:          Mark A. Faulkner
Title:         Acting Chief Information Security Officer (CISO) & Associate Vice President
Department: UC Office of Information Security


Due to the potential risk and/or business impact related to this request I have deemed that this risk needs
to be reviewed and approved or denied by a University Executive officer (CIO or President).


 Yes this Risk needs further review.                    No, this Risk needs no further review.




 Yes, this Risk can be accepted.                         No, this Risk cannot be accepted.


Signed by:                                                         Signature Date:
(Print) Name: Nelson Vincent, EdD                                  Title: Interim CIO and Associate Dean
Department: UCIT




 Yes, this Risk can be accepted.                         No, this Risk cannot be accepted.


Signed by:                                                         Signature Date:
(Print) Name: Santa Ono, PhD                                       Title: Sr. Vice President and Provost
Department: Office of the Senior Vice President for Academic Affairs & Provost




UC InfoSec Form 40.b                        Official Use Only                    Version 4.0, 07/26/2012
Appendix A

Terms

      Acceptable risk - A term used to describe the minimum acceptable risk that an organization is
       willing to take.
      Countermeasure or safeguards - Controls, processes, procedures, or security systems that help to
       mitigate potential risk.
      Exposure - When an asset is vulnerable to damage or losses from a threat.
      Exposure factor - A value calculated by determining the percentage of loss to a specific asset
       because of a specific threat.
      Residual risk - The risk that remains after security controls and security countermeasures have
       been implemented.
      Risk management - The process of reducing risk to assets by identifying and eliminating threats
       through the deployment of security controls and security countermeasures.
      Risk analysis - The process of identifying the severity of potential risks, identifying vulnerabilities,
       and assigning a priority to each. This may be done in preparation for the implementation of
       security countermeasures designed to mitigate high-priority risks.

Criticality Matrix
                           Most Critical               Critical                     Least Critical
                           Highest level of            Moderate level of            Very low, but still
                           sensitivity                 sensitivity                  requiring some protection
Legal Requirements         Protection of data is       The institution has a
                           required by law (e.g.,      contractual obligation to
                           HIPAA and FERPA data        protect the data (e.g.,
                           elements and other          bibliographic citation
                           personal identifying        data, bulk licensed
                           information protected       software)
                           by law)
Reputation Risk            High                        Medium                       Low
Other Institutional        Information that            Smaller subsets of
Risks                      provides access to          Most Critical data
                           resources, physical or      from a school, large
                           virtual                     part of a school, or
                                                       department
Data Examples                      Medical                      Information              Campus maps
                                   Student                       resources with           Personal
                                   Prospective                   access to Most            directory data
                                    student                       Critical data             (e.g., contact
                                   Personnel                    Research detail           information)
                                   Donor or                      or results that          E-mail
                                    prospect                      are not Most             Institutionally
                                   Financial                     Critical                  published public
                                   Contracts                    Library                   data
                                   Physical plant                transactions


UC InfoSec Form 40.b                          Official Use Only                     Version 4.0, 07/26/2012
                                  detail                       (e.g., catalog,
                                 Credit card                  circulation,
                                  numbers                      acquisitions)
                                 Certain                     Financial
                                  management                   transactions
                                  information                  that do not
                                                               include Most
                                                               Critical data
                                                               (e.g., telephone
                                                               billing)
                                                              Very small
                                                               subsets of Most
                                                               Critical data




The Risk Matrix

To determine the degree of urgency attached to a given situation, refer to this table.


                              Impact
The Risk Matrix
                       High   Medium Low
           High          A        B      C
Probability Medium       A        B      C
           Low           B        C      C



Risk Assessment

The UC Office of Information Security will assist with Risk Assessment upon request.




UC InfoSec Form 40.b                       Official Use Only                      Version 4.0, 07/26/2012

								
To top