SP 6-10p
APPROVED: January 28, 2021
EFFECTIVE: January 28, 2021
REFERENCE(S): Board Policy (BP) 6-10, Cyber Security Policy
APPROVED:
/ Joe Garcia /
Joseph A. Garcia
Chancellor
This procedure documents requirements for identifying, assessing and taking steps to reduce, to an acceptable level, risks associated with the Colorado Community College System and its Colleges’ (“CCCS”) Information Technology (“IT”) environment. This procedure applies to actions or conditions that could pose risks to the Information Systems or Assets of CCCS. Risks should be identified and addressed through IT management processes that may involve the introduction of a new vendor, product, service, system or application. The risk management principles stated here shall also apply to risks that result from identified threats and vulnerabilities.
This procedure applies to Information Systems or Assets owned, leased, managed and maintained by the System IT Department (“System IT”) or the College’s IT Department (“College IT”) or by third parties on behalf of CCCS, and employees, personnel affiliated via third party contracts, and volunteers that have access to Information Systems and Assets that are owned or leased by CCCS.
Risk Management
Risk management is defined as the process of managing risks to organizational operations (including mission, functions, image, or reputation), organizational assets, or individuals resulting from the operation of an information system and includes: (i) the conduct of a risk assessment; (ii) the implementation of a risk mitigation strategy; and (iii) employment of techniques and procedures for the continuous monitoring of the security state of the information system.
Risk Assessment
Risk assessment is defined as the process of identifying risks to organizational operations (including mission, functions, image, reputation) and organizational assets, resulting from the operation of an information system. Part of risk management incorporates threat and vulnerability analysis, and considers mitigations provided by security controls planned or in place.
The System Chancellor delegates to the System Vice Chancellor for Information Technology responsibility for oversight of compliance with and implementation of this procedure. Further, the System Chancellor delegates to the College Presidents the responsibility to implement and compliance with this procedure at their respective institution.
General Information
Risk Management is an integral part of the IT strategic planning process at CCCS, as well as in coping with daily threats and vulnerabilities. The objective of the Risk Management program is to ensure that its principles are woven throughout System IT and College IT processes and the CCCS Risk Management Plan.
IT Risk Management Approach
IT Management shall establish a systematic approach to identifying risks associated with ongoing events that takes into consideration the following elements:
Risks shall be handled in accordance with the following hierarchy:
Identified risks shall be documented within the System IT’s or College IT’s risk register. Changes to address risks should follow the change management procedure.
Annual Risk Assessment
System IT and College IT shall conduct and document an overall high-level IT Risk Assessment on an annual basis and ensure that:
CCCS reserves the right to change any provision or requirement of this procedure at any time and the change shall become effective immediately.