Risk Management

Purpose

The University of New Mexico is committed to protecting the information with which it is entrusted. This component of the UNM Information Security Program aligns with the National Institute of Standards and Technology (NIST) Special Publication (SP) Series and Frameworks. This Information Risk Management program component describes how UNM helps minimize risks to the confidentiality, integrity, and availability of information for which UNM is responsible. This Risk Management program component accomplishes this by providing UNM with a standard and consistent approach for identifying and assessing risk.

The purpose of Risk Management is to manage risks to the privacy and security of its information including, but not limited to Personally Identifiable Information (PII), Controlled Unclassified Information (CUI), and other data ("UNM Data") protected through agreements, contracts, and regulations ("Protected Data"). This program component incorporates a risk management framework that integrates Vendor Risk Management (VRM) and information systems risk management practices.

Objectives

• Identify roles and responsibilities
• Establish standard risk management practices
• Reduce existing risk to sensitive information and/or Protected Data
• Reduce future risk to sensitive information and/or Protected Data
• Restrict access to sensitive information and/or Protected Data to those with a business need to know

Scope

This program component applies to all information and systems that access UNM Data, including Protected Data regardless of whether they apply to goods, services, or other forms of third-party access to UNM Data, including Sponsored Projects, Data Use Agreements, or any other processes whereby access to UNM Data is provided.

Overview

Risk management is the continuous process of identifying, assessing, and mitigating risks in information systems. Addressing these risks before their associated system, service, etc. stores, processes, and transmits UNM Data is critical to mitigate the potential breach of this information. Guidance from NIST Special Publications and ISO 27001 provide a framework of the necessary security controls that must be implemented, assessed, and accounted for within an organization's information systems and environment. Gaps in security controls are a potential risk and liability for an organization and their ability to protect the confidentiality, integrity, and availability of their system and data.

A third-party/vendor must be implementing sufficient security controls to protect their systems and ensure that they are able to protect the University's data. Once UNM Data leaves the University's environment regardless of the University's security controls, any gaps within a third-party/vendor due to a lack of sufficient security controls generates the risk of a potential attack vector and security incident and can result in the loss of confidentiality of UNM's data or systems. Similarly, any data that is stored, processed, and transmitted back to the University may impact the integrity or availability of the UNM Data and systems. Therefore, awareness of a third-party vendor's established security and/or compensating controls is critical in safeguarding the confidentiality, integrity, and availability of the data that the University is responsible for.

The security landscape evolves continuously and consequently requires periodic review of an information system or third-party/vendor's security controls. Continuous assessments are necessary to assess new security controls or risks and to verify that existing security controls are still adequate to mitigate arising security threats.

Prepare

The first stage of the Risk Management component establishes the foundation that dictates the risk management strategy/framework. This step is intended to be referenced throughout the remaining Risk Management Framework steps. It involves identifying the business purpose for the proposed information system, stakeholders, assets, authorization boundaries, information/data types involved, information lifecycle, risk assessments, security requirements, implementing security controls, etc. to ensure the University is aware of the risks related associated with an information system. Different types of data are beholden to different types of laws and regulations and will alter the necessary security controls requirements to protect this data. Establishing these details aligns the needs of stakeholders and the University's obligation to ensure the confidentiality, integrity, and availability of UNM Data and enable effective communication between stakeholders. This step is generally conducted by the Information and Security Privacy Officer, ISPO staff, Office of University Council, UNM leadership, and/or other administrative bodies within the institute.

Categorize

The purpose of this stage is to provide an impact analysis and determine the adverse impact of the loss of confidentiality, integrity, and availability of systems and the information that is processed, stored, and transmitted by those systems. During this stage, capturing and documenting details about the system is necessary to provide a comprehensive understanding of the scope of the system and the information it processes, stores, and transmits. An impact analysis on the system is conducted and a security categorization/impact rating is determined based on the information types identified and their effect if a loss of confidentiality, integrity, and availability occurs. The impact analysis and security categorization undergo a review for approval by the Information Security and Privacy Officer.

Select

During this stage, security controls are chosen to protect the information systems and the University. The University's Information Security Program is based on NIST SP 800-171 and SP 800-53 and establishes security control requirements from these publications and those required by laws and regulations.

Modifications to the security controls may be necessary based on findings from risk assessments, University needs, and other factors. The security controls are then assigned to the system, elements, and environment and the control implementation plan is developed and documented. Whenever possible, the system will be included in the continuous monitoring service ISPO provides. All outputs from this step undergo review for approval before the implementation of controls.

Implement

In this stage, the assigned controls are implemented and documented. If there are any controls that were unable to be implemented or deviated from what was planned must be documented and should contain the impact changes, authorizations, and other deviations from what was planned.

Assess

During this stage, the implemented controls are assessed to determine their effectiveness. Prior to the control assessment, an assessment plan is created that tests the implemented controls to ensure that they are implemented correctly and effective. A report is generated based on the findings from the control assessment and provides recommendations for remediating issues that were found. Remediation actions can be assigned and updated in a plan or the University can provide context regarding a finding and accept the risk. These findings are documented and a plan to implement mitigations for issues is created with milestones to track progress. Once remediations are implemented the controls can be reassessed.

Authorize

The purpose of this stage is to obtain the authorization from Data Stewards or otherwise authorized individuals' approvals before implementing the system in the production instance. These authorized individuals are provided documents that include plans, reports, and an executive summary related to the implementation of the system. These documents are reviewed by these individuals and make a risk determination. The authorizing individuals can decide to mitigate the risks or choose to accept the risk. If mitigation is chosen, then a plan referenced in the Assess step must be updated to account for this. If the risk is accepted, then the authorizations must be documented and allow for the implementation of the system.

Monitor

This stage is to ensure that periodic and ongoing awareness of the security posture of the system is an ongoing and continuous process. Any changes that occur involving the system or its environment are monitored and tracked. All previous stages are once utilized when continuously monitoring this system to ensure that assessments on security controls validate their effectiveness and that the University has sufficient authorized risk responses to any changes that may impact its security posture. Once a system has been determined to be no longer of use or end-of-life there must be strategies put in place to ensure that the system, information, and UNM Data that is processed, stored, and transmitted are protected and prevent a loss of confidentiality, integrity, and availability.

Roles and Responsibilities

Chief Information Officer (CIO)

Responsible for ensuring that the University information security program is implemented, is well supported by resources and budget, and is effective. This individual must prioritize risk management to ensure an effective information security program that addresses risk and allow the University's information systems to implement security controls to mitigate/remediate these risks.

Information Security and Privacy Officer (ISPO)

Responsible for ensuring that the University and its information systems and information/data are abiding by laws and regulations. The Information Security and Privacy Officer liaises between University Administration, Business Process Owners, Data Owners, Data Stewards, and Data Custodians to ensure these individuals understand the University's risk tolerance and the impact from accepting risks that may be incurred from the procurement of any information systems that stores, processes, or transmits UNM Data whether that be on-premise or by a third-party vendor. This individual is responsible for ensuring that institutional information security and privacy practices are followed to maintain an effective information security program.

ISPO – Privacy, Compliance, and Risk Staff

The ISPO's Privacy, Compliance, and Risk staff must stay current on information security laws and regulations. They must also continually ensure that the University is abiding by the laws and regulations that the University is under purview. The ISPO's Privacy, Compliance, and Risk area is responsible for reviewing all electronically completed privacy impact assessments and relevant documentation that is submitted through Banner Workflow and where applicable reviewing additional documentation and contacting the ISPO's Information Security Operations team in the event a technical impact analysis of the vendor's information security policies, procedures, and controls is required.

ISPO – Information Security Operations Staff

The ISPO's Information Security Operations staff must stay current on information security trends, technology, knowledge, and technical skills. They must continually evaluate the effectiveness and appropriateness of security controls and risks that the University manages. The ISPO's Information Security Operations area is responsible for conducting technical impact analyses by reviewing third-party/vendor information security policies, procedures, and controls and identifying deficiencies in security controls and any concerning issues and that may impact the University and provide remediation actions if required.

Data Stewards

UNM's data stewards have the authority to authorize the access and use of UNM Data, including Protected Data under their purview. UNM Policy 2580 and Data.UNM describe UNM's Data Governance policies, processes, and standards. UNM-designated Data Owners or Data Stewards are responsible for appropriately reviewing proposed procurements that involve all data they are responsible for. Any scenario involving sensitive information/UNM Data requires written approval from the appropriate Data owner or Data Steward before starting the procurement process.

IT Officers, IT Liaisons, and IT Managers

UNM-designated IT Officers, IT Liaisons, and in some cases IT Managers are responsible for thoroughly reviewing this document, coordinating responses to the Privacy Impact Assessment Questionnaire (PIAQ), collecting additional documentation if required (i.e. Data Owner or Data Steward approval, business agreements, vendor privacy policies, vendor-completed HECVAT, vendor HECVAT supplemental documentation, department-completed SSNCRW, etc.), and for submitting a request on behalf of the applicable Purchasing Agent via Banner Workflow.

Vendors

In all scenarios involving sensitive information, the ISPO shall review applicable business agreement(s) between the University and vendor, and the vendor's information privacy policies and procedures. At the end of the contract period, vendors must certify in writing that all UNM data was either returned to UNM in a form agreed to by UNM, or that all UNM information was destroyed. Please ensure that you have attained the appropriate documentation before submitting a Purchasing Risk Assessment request.

Purchasing Agents

Purchasing Agents are responsible for thoroughly reviewing this document and for coordinating communication between the departmental contact responsible for the business process a proposed procurement supports and the appropriate IT Officer, IT Liaison, or in some cases IT Manager.

Risk Management Process

UNM's data stewards have the authority to authorize the access and use of UNM Data, including Protected Data under their purview. UNM Policy 2580 and Data.UNM describe UNM's Data Governance policies, processes, and standards.

UNM's risk management processes must be followed, regardless of whether they apply to goods, services, or other forms of third-party access to UNM Data, including Sponsored Projects, Data Use Agreements, or any other processes whereby access to UNM Data is provided.

Vendor and Other Third-Party Risk Management

UNM community members who are authorized by the appropriate UNM data stewards to use UNM Data, especially Protected Data, in a system or solution that will be managed or accessed by a third-party entity should work with their IT Officer or appropriate IT resource to submit the following documentation through Banner Workflow.

• Data Steward Approval
• A complete, current Privacy Impact Assessment Questionnaire (PIAQ)
• A complete, current applicable Full Higher Education Community Vendor Assessment Tool(HECVAT) form, a current applicable Security Audit, or a current applicable Compliance Certification (ISO 27001), or reasonably similar documentation.
• Any supplemental documentation provided by the vendor that is referenced in the HECVAT.

ISPO Privacy, Compliance, and Risk (PCR) staff will work with stakeholders to assess

• What regulations and compliance requirements apply to the UNM Data and the allowed purposes for collection and use of UNM Data
• Whether the UNM Data at issue can be minimized to reduce risks, including:
  • Re-identification with the use of de-identified or limited identifier data
  • Identity theft or Fraud with the use of PII
  • Other regulatory risks related to the use or misuse of CUI

ISPO Information Security Operation (ISO) staff will assess

• Where HECVATs are provided, ISPO ISO staff will assess whether vendor safeguards for UNM Data are reasonable and appropriate to protect the data
• Where third-party audits or certifications, ISPO ISO staff will assess whether the UNM Data and systems covered by the audits or certifications are sufficiently applicable to the data and information systems at issue, as validated by a separate third-party, on which UNM will then rely for third-party safeguards assurance.

ISPO staff will also assess whether there is substantial residual risk and will

• Work with Data Stewards, IT Officers, requestors, and other stakeholders to develop a risk management plan that documents additional safeguards to be implemented prior to use of Protected Data. Additional safeguards may be operational, technical, or a blend of both. Risk management plans and additional safeguards will be documented and retained.

In limited circumstances where there is residual risk that cannot be mitigated, UNM executives may consider whether to accept additional risks. Risk acceptance will be documented and retained.

UNM-Hosted Information System Risk Management

UNM community members who are authorized by the appropriate UNM data stewards to use UNM Data, especially Protected Data, in an information system or solution that will be implemented by UNM staff and hosted and managed in UNM-owned or UNM-managed facilities should work with their IT Officer or other appropriate IT resources to submit the following through Banner Workflow.

• Data Steward Approval
• PIAQ describing data, use case, and system/solution's vendor
• A current On Prem HECVAT
• Any supplemental documentation provided by the vendor that is referenced in the HECVAT.

ISPO PCR staff will work with stakeholders to assess

• What regulations and compliance requirements apply to the UNM Data and the purpose for collection
• Whether the UNM Data at issue can be minimized to reduce risks, including:
  • Re-identification with the use of de-identified or limited identifier data
  • Identity theft or Fraud with the use of PII
  • Other regulatory risks related to the use or misuse of CUI

ISPO ISO staff will assess

• Where HECVATs are provided, ISPO ISO staff will assess whether vendor safeguards for UNM Data are reasonable and appropriate to protect the data
• Whether safeguards for UNM Data are reasonable and appropriate to protect the privacy and security of the data. Where deficiencies or risks are identified, ISPO staff will work with IT Officers and their customers to identify and document additional operational and/or technical safeguards to appropriately protect UNM Data

ISPO staff will also assess whether there are substantial residual risks and will

• Work with Data Stewards, IT Officers, requestors, and other stakeholders to develop a risk management plan that documents additional safeguards to be implemented prior to use of Protected Data. Additional safeguards may be operational, technical, or a blend of both. Risk management plans and additional safeguards will be documented and retained.

In limited circumstances where there is residual risk that cannot be mitigated, UNM executives may consider whether to accept additional risks. Risk acceptance will be documented and retained.

If you have questions or would like to provide feedback regarding this document, please use ServiceNow to submit a request to ensure your question or feedback is received and tracked.