The Official Web site for the Office of Information Technology - UTSA

This document should be rendered in an HTML format with cascading style sheets and JavaScript turned on.

Office of Information Technology Home Page

Skip to Main Content

Skip to Navigation

Please take a few minutes to read our Accessibility Page which will make your visit through this Web site easier.

Copyright (c) 2010. The University of Texas at San Antonio. All rights reserved.

OIT Home > About OIT > Information Resource Standards > Information Security Risk Assessment Standard

Information Security Risk Assessment Standard

Departments and data owners who manage information resources must sponsor formal risk assessments to identify potential problems that would affect the operation and security of their information assets. Risk assessments are the first step in the process of protecting information resources, and they shape mitigation strategies and plans.

If a risk assessment is to be successful, it must have the support of management.  Those who perform the assessment are likely to include ISA’s, ITA’s and other functional managers and they will work with the owner or department head and the Information Security Office (ISO) to identify controls that will provide protection and/or recovery from loss, exposure or inappropriate modification of the data.

The strategy report that results from the assessment will be submitted to the ISO on an annual basis and should cover the planning and controls for the most critical risks.  It should include identification information for each asset, contacts and contact information, vulnerabilities and threats, actions and resources needed to mitigate or accept risk.

The ISO will incorporate the strategy reports into a university-wide framework.

See also Data Classification Guidelines: http://www.utsa.edu/oit/std/sec_data_classification_std.html

Effective Date:

October 31, 2011

Compliance Date:

December 31, 2011

Last Revision:

May 3, 2011

Account Management

Disposal of Computers
Other Electronic Devices

Laptop Encryption

Policy Exception and Risk Assumption Procedures

Administrative/Special Access

E-Mail Management

Log-in Disclaimer

Security Monitoring

Application Registration

Incident Management

Network Access

Security Training

Enterprise Backup &
Data Recovery

Information Resource Use and Security (pending)

Network Configuration

Server Hardening

Change Management

Information Security Risk Assessment

Password

Software Licensing

Computer Naming Convention

Information Security Administrator (ISA)

Patch Management Standard

Threat Detection and Prevention

Configuration and Asset Management

Information Security Training Standard

Personal Computing

Unauthorized File Sharing

Copiers and Printers

Information Services Privacy

Physical Access

Vendor Access

Data Center

Internet Use

Portable Computing

Web Application Vulnerability Scanning

Data Classification

Intrusion Detection

Protection Against Malicious Software

Wireless Network

 

 

 

Workstation Operating Systems Support

Tools