Page tree
Skip to end of metadata
Go to start of metadata

Last review date: February 2020, version 1.0.2

Purpose

The purpose of the Bethel University Information Risk Management Policy is to establish the requirements for the assessment and treatment of information security-related risks facing Bethel University.

Audience

The Bethel University Information Risk Management Policy applies to all Bethel University individuals that are responsible for management, implementation, or treatment of risk activity.

Policy

  • Formal organization-wide risk assessments will be conducted by Bethel University no less than annually, or upon significant changes to the Bethel University environment.
  • Risk assessments must account for administrative, physical, and technical risks.
    • Must seek to identify reasonably foreseeable internal and external risks to security, confidentiality, and integrity of student, employee or donor information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assess the sufficiency of the any safeguards in place to control these risks. At the minimum, the risk assessment must include consideration of risks in each relevant area of operations including:
      • Administrative controls, including policies, awareness training, guidelines, standards, and procedures; 
      • Physical controls to protect assets from physical theft, modification and destruction;
      • Internal technical controls including firewalls, intrusion prevention systems, anti - virus software and mobile device management;
      • External technical controls including search engine indexes, social medial, DNS, port scanning and vulnerability scanning.  
  • Information security risk management procedures must be developed and include the following (at a minimum):
    • Risk Assessment, including an inventory of all systems containing PII and other protected data.
    • Risk Treatment (see Bethel’s Risk Analysis which outlines risks, their likely associated impact and prioritization)
    • Risk Communication, including assignment of responsibility to workforce members who have appropriate expertise. 
    • Risk Monitoring and Review, including security methods implemented as a result of an identified risk. 
  • Risk evaluation criteria should be developed for evaluating the organization’s information security risks considering the following:
    • The strategic value of the business information process.
    • The criticality of the information assets involved.
    • Legal and regulatory requirements, and contractual obligations.
    • Operational and business importance of availability, confidentiality and integrity.
    • Stakeholders expectations and perceptions, and negative consequences for goodwill and reputation.
  • All risks will be classified and prioritized according to their importance to the organization.
  • One or more of the following methods may be used to manage risk:
    • Acceptance, avoidance, limitation, or transference
  • Periodically, Bethel University may contract with a third-party vendor to conduct an independent risk assessment and/or to validate the effectiveness of the Bethel University risk management process.

References

  • ISO 27002: 18
  • NIST CSF: ID.GV, ID.RA, ID.RM, PR.IP

Waivers

Waivers from certain policy provisions may be sought following the Bethel University Waiver Process.

Enforcement

Personnel found to have violated this policy may be subject to disciplinary action, up to and including termination of employment, and related civil or criminal penalties.  

Any vendor, consultant, or contractor found to have violated this policy may be subject to sanctions up to and including removal of access rights, termination of contract(s), and related civil or criminal penalties.

Version History

Version 

Modified Date

Approved Date

Author

Reason/Comments

1.0.0

October 2016


FRSecure

Document Origination

1.0.1

February 2018


Andrew Luchsinger

Bethel Modifications

1.0.2

February 2020

June 2020

InfoSec Committee

Committee Review