SP 6-10p – Information Technology Risk Management

Colorado Community College System / System Procedure


SP 6-10p

APPROVED: January 28, 2021
EFFECTIVE: January 28, 2021

REFERENCE(S): Board Policy (BP) 6-10, Cyber Security Policy

APPROVED:

/ Joe Garcia /
Joseph A. Garcia
Chancellor

BASIS

This procedure documents requirements for identifying, assessing and taking steps to reduce, to an acceptable level, risks associated with the Colorado Community College System and its Colleges’ (“CCCS”) Information Technology (“IT”) environment. This procedure applies to actions or conditions that could pose risks to the Information Systems or Assets of CCCS. Risks should be identified and addressed through IT management processes that may involve the introduction of a new vendor, product, service, system or application. The risk management principles stated here shall also apply to risks that result from identified threats and vulnerabilities.

APPLICATION

This procedure applies to Information Systems or Assets owned, leased, managed and maintained by the System IT Department (“System IT”) or the College’s IT Department (“College IT”) or by third parties on behalf of CCCS, and employees, personnel affiliated via third party contracts, and volunteers that have access to Information Systems and Assets that are owned or leased by CCCS.

DEFINITIONS

Risk Management
Risk management is defined as the process of managing risks to organizational operations (including mission, functions, image, or reputation), organizational assets, or individuals resulting from the operation of an information system and includes: (i) the conduct of a risk assessment; (ii) the implementation of a risk mitigation strategy; and (iii) employment of techniques and procedures for the continuous monitoring of the security state of the information system.

Risk Assessment
Risk assessment is defined as the process of identifying risks to organizational operations (including mission, functions, image, reputation) and organizational assets, resulting from the operation of an information system. Part of risk management incorporates threat and vulnerability analysis, and considers mitigations provided by security controls planned or in place.

PROCEDURE

The System Chancellor delegates to the System Vice Chancellor for Information Technology responsibility for oversight of compliance with and implementation of this procedure. Further, the System Chancellor delegates to the College Presidents the responsibility to implement and compliance with this procedure at their respective institution.

General Information
Risk Management is an integral part of the IT strategic planning process at CCCS, as well as in coping with daily threats and vulnerabilities. The objective of the Risk Management program is to ensure that its principles are woven throughout System IT and College IT processes and the CCCS Risk Management Plan.

IT Risk Management Approach
IT Management shall establish a systematic approach to identifying risks associated with ongoing events that takes into consideration the following elements:

  • An understanding of the organization’s capacity for risk acceptance.
  • Identification of Information Assets and their classification.
  • Identification of the vulnerabilities and threats and their risk ranking according to the likelihood and impact.
  • Analysis of controls, current and proposed.
  • Recommendations to maintain risks at acceptable levels.
  • Assignment of risk ownership.

Risks shall be handled in accordance with the following hierarchy:

  • Whenever possible CCCS will seek to eliminate risk (Risk Elimination).
  • Where appropriate, CCCS will consider transferring risks to organizations more skilled or equipped to handle such risks (Risk Transference).
  • Where risks cannot be eliminated or outsourced, every reasonable effort will be made to reduce the likelihood and/or the consequences of a risk (Risk Mitigation).
  • After due consideration, CCCS may decide that a risk is acceptable and put into place appropriate safeguards around the risk to ensure effective management (Risk Acceptance).

Identified risks shall be documented within the System IT’s or College IT’s risk register. Changes to address risks should follow the change management procedure.

Annual Risk Assessment
System IT and College IT shall conduct and document an overall high-level IT Risk Assessment on an annual basis and ensure that:

  • The controls, relevant policies, procedures and related documentation reflect the identified risks.
  • Residual risks, with respect to security, are considered in the development of annual IT planning.
  • Risks identified in the previous 12 months have been addressed and their likelihood and impacts have been mitigated or accepted.

REVISING THIS PROCEDURE

CCCS reserves the right to change any provision or requirement of this procedure at any time and the change shall become effective immediately.