6.2 Risk Assessment Standard

6.2.1. Overview

See Purpose

6.2.2. Purpose

To empower ITS to perform periodic information security risk assessments (RAs) for the purpose of determining areas of vulnerability, and to initiate appropriate remediation.

6.2.3. Scope

Risk assessments can be conducted on any entity within Highline College. RAs can be conducted on any information system, to include applications, servers, and networks, and any process or procedure by which these systems are administered and/or maintained.

6.2.4. Standard

The execution, development and implementation of remediation programs is the joint responsibility of ITS and the department responsible for the system area being assessed. Employees are expected to cooperate fully with any RA being conducted on systems for which they are held accountable. Employees are further expected to work with ITS in the development of a remediation plan.

6.2.5. Compliance

6.2.5.1 Compliance Measurement

ITS will verify compliance to this standard through various methods, including but not limited to, business tool reports, internal and external audits, and feedback to the standard owner.

6.2.5.2 Exceptions

Any exception to the standard must be approved by ITS in advance.

6.2.5.3 Non-Compliance

An employee found to have violated this standard may be subject to disciplinary action, up to and including termination of employment.

6.2.6. Related Standards, Policies, and Processes

None.

6.2.7. Revision History