2022-2023 Administrative Policy Manual Published September 2, 2022 
    
    Sep 07, 2024  
HELP
2022-2023 Administrative Policy Manual Published September 2, 2022 [ARCHIVED COPY]

Information Technology Risk Assessment

Policy Number: 11.23
Effective Date: March 14, 2023
Revision History: None
Policy Contact: Information Security Officer

I. Purpose and Policy Statement

The purpose of this policy is to facilitate compliance with applicable federal and state laws and regulations as well as University System of Georgia (“USG”) policies and recommendations to protect the confidentiality and integrity of Georgia Gwinnett College (“GGC”)’s information technology (“IT”) resources and enable leaders to make informed decisions regarding risk tolerance and acceptance.

The Information Security Officer (or designees) is authorized to perform periodic information security risk assessments including vulnerability scans to identify vulnerabilities and to initiate appropriate remediation. GGC uses formal Information Security Risk Management (“ISRM”) programs based on National Institute of Standards and Technology (“NIST”) Special Publication (“SP”) 800-30 and its latest version(s) to identify risks and implement plans to address and manage them. The Information Security Officer is responsible for managing the ISRM and coordinating the development and maintenance of program policies, procedures, standards, and reports in collaboration with appropriate leaders and stakeholders.

The ISRM program is based on risk assessment and developed in consideration of GGC priorities, staffing, and budgets. Risk assessments must identify, quantify, and prioritize risk acceptance and objectives relevant to the College. The results are to guide and determine the appropriate management action and priorities for managing information security risks and for implementing controls to protect against these risks. The risk assessment must include the systematic approach of estimating the magnitude of risks (risk analysis) and the process of comparing the calculated risks against risk criteria to determine the significance of the risks (risk evaluation).

Risk assessments are performed periodically to address changes in security requirements and the risk situation (e.g., threats, vulnerabilities, impacts, risk evaluation, and data classification). Risk assessments are to be systematic and capable of producing comparable and reproducible results. The information security risk assessment should have a clearly defined scope to be effective and should include coordination with risk assessments in other areas, if appropriate.

II. Scope

Scope includes all GGC IT resources used on or off campus and all users of GGC IT resources, including but not limited to faculty, administrators, staff including student workers, students, visitors, vendors, and other service providers.

III. Definitions

Information Technology Resource: Any hardware, software, service, system, or database used in support of College activities. This includes systems and applications hosted on premise or in the cloud and applications created by the College.

Control: A process or procedure to reduce risk.

Inherent Risk: The level of risk before Risk Treatments (controls) are applied.

Information Security Risk Management (ISRM): A program that consistently identifies and tracks information security risks, implements plans for remediation, and guides strategic resource planning.

Residual Risk: Level of risk that remains after Risk Treatments (controls) are applied to a given Risk.

Risk: The possibility of suffering harm or loss or the potential for realizing unwanted negative consequences of an event.

Risk Management: The ongoing management process of assessing risks and implementing plans to address them.

Risk Assessment: The process of taking identified risks and analyzing their potential severity of impact and likelihood of occurrence.

Risk Treatment: The process of managing assessed or identified risks. Risk treatment options are risk avoidance (withdraw from), sharing (transfer), modification (reduce or mitigate), and retention (acceptance).

IV. Roles and Responsibilities
  1. The Information Security Officer (or designees) is authorized to perform periodic information security risk assessments to identify areas of vulnerability and to initiate appropriate remediation.
  2. All community members are responsible for compliance with technology policies, standards, and procedures and awareness of risk management and remediation controls used to prevent or detect vulnerabilities and unauthorized use or access.
V. Related Regulations, Statutes, Policies, and Procedures

USG IT Handbook
USG Business Procedures Manual
National Institute of Standards and Technology (NIST) Special Publication 800-53

Catalog Navigation
  Publication Home
  New Policies
  Updated Policies
  Policy Matrix
  Disclaimer, Policy Requirements, and Procedure Requirements
  Section 2 - Institutional Governance
  Section 3 - Academic Affairs
  Section 4 - Student Affairs
  Section 5 - Library
  Section 6 - Research
  Section 7 - Finance and Business
  Section 8 - Personnel
  Section 9 - Facilities
  Section 10 - Information, Records, and Publications
  Section 11 - Information Technology
  Section 12 - Miscellaneous
  Section 20 - Educational Technology
  Section 21 - Financial Aid Office Policies and Procedures
  GGC Freedom of Expression Policy Forum Reservation Request Form
  My Portfolio