Purpose and Scope

To establish a process to manage risks to Volum8 that result from threats to the confidentiality, integrity and availability of Volum8 data and Information Systems.

Policy

All Information Systems must be assessed for risk to Volum8 that results from threats to the integrity, availability and confidentiality of Volum8 Data. Assessments should be completed prior to purchase of, or significant changes to, an Information System; and at least every 2 years for systems that store, process or transmit Restricted Data.

Risks identified by a risk assessment must be mitigated or accepted prior to the system being placed into operation.

Residual risks may only be accepted on behalf of the university by a person with the appropriate level of authority as determined by the Information Security Officer. Approval authority may be delegated if documented in writing, but ultimate responsibility for risk acceptance cannot be delegated.

Each Information System must have a system security plan, prepared using input from risk, security and vulnerability assessments.

Responsibilities

1. Information Security Officers (ISAs) are responsible for ensuring that their unit conducts risk assessments on Information Systems, and uses the Volum8 approved process.

2. Information Owners (ISOs) are responsible for ensuring that information systems under their control are assessed for risk and that identified risks are mitigated, transferred or accepted.