1.0 Revision History
RISK ASSESSMENT POLICY
May 28, 2009
May 28, 2009
Harper P. Johnson, Director of Information
The purpose of the Risk Assessment Policy is to authorize the NAU
Director of Information Security (IS) to perform periodic information security
risk assessments for the purpose of determining areas of vulnerability, and to
initiate appropriate remediation.
Information – Data
elements, whether in part or combined, that are of value to the University,
such as student or employee records, intellectual property, research data, or
Information Systems – All computer and network systems owned by and/or
administered by the University. This includes all computing platforms of all
sizes from personal digital assistants (PDAs) to mainframe computers, all
peripheral devices and media, and all data contained on those systems.
Risks -Those factors that could affect the security,
availability, and integrity of the University’s key information assets and
University Administrators - For the purposes of this Policy
are those individuals responsible for campus organizational units (e.g., deans,
department chairs, principal investigators, directors, or managers) or
individuals having functional ownership of data.
4.1 This Policy applies to all Northern Arizona
University faculty, staff, students, and University Affiliates.
4.2 This Policy applies to all information systems
owned by and/or administered within the University. This includes all computing
platforms of all sizes from personal digital assistants (PDAs) to mainframe
computers, all peripheral devices and media, and all data contained on those
4.3 This Policy applies to data in any tangible form
whether it is written, printed, taped, or stored in hard copy or electronic
The IS program is to be based on risk assessment
and developed in consideration of university priorities, staffing, and budget.
Risk assessments must identify, quantify, and
prioritize risks against criteria for risk acceptance and objectives relevant
to the university. The results are to guide and determine the appropriate
management action and priorities for managing information security risks and
for implementing controls selected to protect against these risks.
Risk assessment must include the systematic
approach of estimating the magnitude of risks (risk analysis) and the process
of comparing the estimated risks against risk criteria to determine the
significance of the risks (risk evaluation).
Risk assessments are to be performed periodically
to address changes in the security requirements and in the risk situation, e.g.
in the assets, threats, vulnerabilities, impacts, the risk evaluation, and when
significant changes occur.
Risk assessments are to be undertaken in a
methodical manner capable of producing comparable and reproducible results. The
information security risk assessment should have a clearly defined scope in
order to be effective and should include relationships with risk assessments in
other areas, if appropriate.
President of the University: The President support and authorizes this Policy for University-wide implementation.
Administrators: University Administrators have a responsibility to
ensure that this Policy is supported with their organizational units.
of Information Security: The Director of Information Security is
responsible for developing and implementing procedures and guidelines
necessary to implement this Policy
Persons who are subject to this Policy
may also be subject to the provisions of applicable NAU Personnel Policies, the
student employment handbook, and Arizona Board of Regents policies, including
provisions for discipline for violation of this Policy, as well as applicable
Arizona Board of Regents: Information Security Policy:
Arizona Board of Regents:
Information Security Guidelines:
NAU Information Security Policy: