Procedure 7.14.01 - Risk Assessment and Management

---

Introduction

In today’s threat-rich environment, every effort must be made to control risks associated with the college’s vital business functions and services. The purpose of this procedure is to provide a blueprint that maximizes the protection of confidentiality, integrity, and availability while still providing functionality and usability.

Risk is defined as a condition or action that may affect the outcome of planned activities that are critical to the college’s functions and services. Risks are brought about by the dynamics of random events, interdependencies of systems and processes, environmental surroundings, and other factors. The entities that are affected by risk are the college’s information and physical assets, which the institution is required to protect.

Risks can potentially cause a disruption that adversely affects the college’s ability to provide services to its customers. To ensure that risks are appropriately managed, RAM includes the identification, evaluation, and control of risks to protect the college’s information technology assets and vital business functions and services. Currently, this policy is limited to the college’s critical business functions to include the information infrastructure and the actual information that it carries. Both virtual and physical risks are assessed.

Guidelines

The college uses the following guidelines to manage risk in a manner that best supports the continuation of business functions and services.

Activities

The following four major elements comprise RAM activities at Southeastern Community College:

1. Identification of Risks: The College makes a continuous effort to identify and document risks in terms of their effects on the continuation of business functions and services. Risk is assessed on all new mission critical functions and services as part of the planning process. Risk assessment is also considered as part of any changes to current mission-critical functions and services.
2. Analysis of Risks: The College evaluates the potential impact of an identified risk and estimates its probability and timeframe. Included in this is the assignment of a risk level based on the likelihood of someone is attacking (a realized threat) and being able to penetrate (an exploited vulnerability) the system. If there are no potential attackers, none of the system’s vulnerabilities constitute a risk; if there are no vulnerabilities, potential attackers do not constitute a risk.
3. Mitigation of Risk: The College makes decisions and develops actions that reduce the impact of risks, limit the probability of their occurrence, and/or improve the response to a risk occurrence. This process includes determining a mitigation level based on the resources (monetary, time, etc.) required to mitigate the risk.
4. Tracking of Risks: The College collects and reports status information about risks and mitigation plans. The college responds to changes in risks and takes corrective actions as needed.

Processes

Risk assessment and management is an ongoing process that will continually evolve. The evolution should focus on improving the continuation of the college’s critical functions and services. The processes must lead to the identification of risk, its potential impact, and the development of strategies that will justify the resources required to provide the appropriate level of continuity initiatives and programs.

It is necessary to have a blueprint to follow for the risk assessment and management process to be successful. The document entitled Risk Assessment and Management Process provides the structure necessary to perform risk assessment at the college.

Reviewed and Last Updated on October 19, 2020.