4-OP-H-25.18 Risk Management Standard

I. Purpose

This Standard supports and supplements FSU Technology Policies and provides additional security and privacy best practices. It establishes requirements for Risk Management planning through security assessment and planning. Risk Management is the ongoing process of identifying, assessing, and responding to risk. Risk assessments and associated risk mitigation efforts are required by FSU security and privacy policies, and regulations with which the University must comply, including, but not limited to, Family Educational Rights and Privacy Act of 1974 (FERPA), Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley Act (GLBA), Federal Information Security Management Act (FISMA) and the Payment Card Industry Data Security Standard (PCI DSS).

Compliance with this Standard is mandatory and is enforced in the same manner as the policies it supports. Standards will be periodically reviewed and updated as necessary to meet emerging threats, changes in legal and regulatory requirements, and technological advances. All users are required to comply with this Standard or obtain an exception in accordance with the 4-OP-H-25.20 Request for Exception to IT Security Policy.

II. Definitions

Consolidated University Unit – a consolidated group of related university units that has management authority and responsibility for compliance with IT policies, standards, and guidelines.

Cybersecurity Readiness Scorecard – a report provided by ISPO to FSU executive leadership on overall cybersecurity posture of CUUs and associated University Units. Metrics include compliance with information security and privacy policies, and utilization of security products provided by the University and the CUU/Unit technology environment.

IT Assets – technology resources including, but not limited to, computers, networks, servers, applications, databases, software, and operating systems owned by, managed by or sponsored by IT Asset Custodians.

Information Security Incident - a suspected, attempted, successful, or imminent threat of unauthorized access, use, disclosure, breach, modification, or destruction of information; interference with information technology operations; or significant violation of responsible use policy.

Mitigation – a temporary solution to minimize a threat's negative impact when it cannot be eliminated.

Risk – a measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of the adverse impacts that would arise if the circumstance or event occurs and the likelihood of occurrence.

Risk Acceptance – the decision to accept responsibility for an identified security risk.

Risk Mitigation – prioritizing, evaluating, and implementing the appropriate risk-reducing controls/countermeasures recommended from the risk management process.

Risk Remediation – eliminating cybersecurity threat(s) by removing or fixing weaknesses detected in assets, networks, and applications.

Risk Tolerance – the organization’s readiness to bear the risk after risk treatment in order to achieve its objectives.

Risk Transfer – shifting of a security risk from one party to another.

Full IT Glossary

III. Standard

FSU has adopted the NIST Framework for Improving Critical Infrastructure Cybersecurity and the NIST Privacy Framework in conjunction with NIST 800-53 Controls as the foundation for a risk-based approach to cybersecurity management. The Cybersecurity Framework (CSF) Core uses common cybersecurity functions, activities, and desired outcomes to align university policy to the management of IT risk. The CSF Core leverages industry standards, guidelines, and practices to establish baseline expectations for cybersecurity for all university units.

University Units are responsible for using this framework and controls to assess their unique risks, threats, vulnerabilities, and risk tolerances to determine an appropriate risk management plan that complies with FSU Technology Policies, Standards and Guidelines.

Controls supporting this Standard include, but are not limited to:

NIST Cybersecurity Framework and Controls

Function	Category	Desired Outcome (Subcategory)
Identify (ID)	Asset Management (ID.AM): The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the organization’s risk strategy.	ID.AM-5: Resources (e.g., hardware, devices, data, time, personnel, and software) are prioritized based on their classification, criticality, and business value
	Governance (ID.GV): The policies, procedures, and processes to manage and monitor the organization’s regulatory, legal, risk, environmental, and operational requirements are understood and inform the management of cybersecurity risk.	ID.GV-4: Governance and risk management processes address cybersecurity risks
	Risk Assessment (ID.RA): The organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals.	ID.RA-3: Threats, both internal and external, are identified and documented
		ID.RA-6: Risk responses are identified and prioritized
	Risk Management Strategy (ID.RM): The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions.	ID.RM-1: Risk management processes are established, managed, and agreed to by organizational stakeholders
		ID.RM-2: Organizational risk tolerance is determined and clearly expressed
		ID.RM-3: The organization’s determination of risk tolerance is informed by its role in critical infrastructure and sector specific risk analysis
Protect (PR)	Information Protection Processes and Procedures (PR.IP): Security policies (that address purpose, scope, roles, responsibilities, management commitment, and coordination among organizational entities), processes, and procedures are maintained and used to manage protection of information systems and assets.	PR.IP-1: A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles (e.g. concept of least functionality)
Respond (RS)	Mitigation (RS.MI): Activities are performed to prevent expansion of an event, mitigate its effects, and resolve the incident.	RS.MI-3: Newly identified vulnerabilities are mitigated or documented as accepted risks

Full CSF Crosswalk to Controls: NIST Crosswalk
*The above NIST chart describing Cybersecurity Framework and Controls and the link to other NIST Crosswalk principles and information in no way belongs to or is owned by Florida State University.

Roles and Responsibilities

Chief Information Security Officer (CISO) and Information Security and Privacy Office (ISPO)
The CISO directs the Information Security and Privacy Office (ISPO) for the University. The CISO reports to the CIO and the Provost and serves as both the CISO and the Chief Privacy Officer for FSU. The CISO and ISPO are responsible for enforcing the application of appropriate operational security controls necessary to mitigate risks associated with unauthorized disclosure, loss, or theft of university information.

Responsibilities include, but are not limited to:

Develop and maintain a standards-based risk assessment methodology.
Provide guidelines and facilitate risk assessments for CUUs.
Provide Risk Mitigation support and other follow-up for completed risk assessments.
Provide education to CUU staff for conducting risk assessments.

Consolidated University Unit (CUU) Dean, Director or Department Head (DDDH)
The Dean, Director, Department Head, or other managerial position responsible for protecting the confidentiality, availability, and integrity of university IT Assets within a CUU. The CUU DDDH has responsibility for ensuring IT security and privacy for the units within the CUU.
Consolidated University Unit (CUU) Information Security Manager (ISM)
The liaison designated by the CUU Dean, Director, or Department Head (DDDH) responsible for coordinating the CUU’s information security program. The CUU ISM is the central point of contact between the University Units and ISPO for security issues. CUU ISM responsibilities will be included in position descriptions.
Consolidated University Unit (CUU) Privacy Coordinator
The liaison designated by the CUU Dean, Director or Department Head (DDDH) responsible for coordinating the CUU’s privacy program. The CUU Privacy Coordinator is the central point of contact between the University Units and ISPO for privacy issues.
University Unit Dean, Director or Department Head (DDDH)
The Dean, Director, Department Head, or other managerial position responsible for protecting the confidentiality, availability, and integrity of university IT Assets within a University Unit. The DDDH has management authority and responsibility for IT security and privacy for the unit, in coordination with their designated CUU’s information security program.
University Unit Information Security Manager (ISM)
The liaison designated by a University Unit Dean, Director, or Department Head (DDDH) responsible for ensuring a University Unit’s compliance with security IT policies, standards, and guidelines, in coordination with their designated CUU’s information security program.
University Unit Privacy Coordinator
The liaison designated by a University Unit Dean, Director, or Department Head (DDDH) responsible for ensuring a University Unit’s compliance with privacy IT policies, standards, and guidelines, in coordination with their designated CUU’s information privacy program.
Application Custodian
The Dean, Director, Department Head, or other manager who is ultimately responsible for an application system, including appropriate security safeguards.
Data Custodian
The Dean, Director, Department Head, or other manager who is ultimately responsible for the integrity, accurate reporting, and use of university data resources.
Data Manager
The University Unit employee(s) delegated operational oversight responsibility for data resources by the Data Custodian.
IT Asset Custodian
An individual with responsibility for the configuration, implementation, management, monitoring, oversight, and day-to-day operations of university IT Assets. IT Assets include but are not limited to enterprise or distributed networks, computers, servers, workstations, IoT devices, applications, databases, operating systems, and firmware.

For more information, see IT Roles and Responsibilities.

Risk Management Framework

Given the size, scope, and complexity of university IT Assets, it is not feasible to equally protect all technology systems and assets. A risk-based approach for assessing and prioritizing resource allocation for mitigating identified risks is necessary. FSU has adopted the NIST Risk Management Framework as the foundation for Risk Management planning and remediation requirements for cybersecurity and privacy of IT Assets.

Risk assessments identify security gaps and are conducted by units to help evaluate FSU’s overall security profile. In addition, University Units and Consolidated University Units (CUUs) are responsible for using FSU requirements and controls to assess their unique risks, threats, vulnerabilities, and risk tolerances to determine an appropriate risk management plan that complies with FSU technology Policies, Standards and Guidelines. Research projects are within the scope of this standard.

Risk assessment requirements and associated risk mitigation that exceed this Standard may be required by federal or state regulations (e.g., HIPAA, FISMA, GLBA), industry standards (e.g., PCI), or contractual agreements. See FTC Safeguards Rule: What Your Business Needs to Know | Federal Trade Commission for more information.

Managing organizational IT risk is critical to an effective information security and privacy program. The NIST Risk Management Framework (RMF) is an ongoing security risk management lifecycle that includes the following steps:

Step 1: Prepare

Prepare to execute the RMF from an organization- and a system-level perspective by establishing a context and priorities for managing security and privacy risk.

This step will carry out essential activities to help prepare all levels of the organization (University Units and Consolidated University Units) to manage security and privacy risks. This step is intended to identify FSU-wide common controls, prioritize security activities to focus protection strategies on the most critical IT Assets, and increase efficiency of IT professionals and resources.

CUU ISMs and CUU Privacy Coordinators are responsible for ensuring a risk management strategy and appropriate risk planning for the CUU, identifying key individuals and roles, and compiling Unit inventory and assessment information at the CUU level.

University Unit ISMs and Privacy Coordinators are responsible for ensuring Unit risk management and compiling unit inventory and assessment information of data and IT Assets. Unit information will be made available to the CUU ISM and CUU Privacy Coordinator.

CUU Data Custodians, Data Managers, IT Asset Custodians, and Application Custodians are responsible for ensuring data, critical business functions and IT Assets under their control are identified, inventoried, and classified as defined by the 4-OP-H-25.01 Data Management Standard, 4-OP-H-25.03 IT Security Configuration Management Standard and other relevant FSU security and privacy standards.

CUUs will complete Risk Assessments regularly, on a rotating schedule. See Seminole Secure Schedule for more information on requirements for completion.

See Seminole Secure for more information.

Outcomes for this Step:

Critical Business Functions Inventory
Data Inventory
IT Asset Inventory
CUU Risk Assessment addressing unique CUU risks and risk tolerances (see Seminole Secure Risk Assessment)

Step 2: Categorize

Categorize systems and information processed, stored, and transmitted based on an analysis of the impact of loss, threats, vulnerabilities, and the likelihood of occurrence.

This step informs organizational risk management processes and tasks by determining adverse impacts to organizational operations and assets, individuals, and other organizations. All data and IT Assets are prioritized based on their data classification, criticality, and business value.

CUU ISMs and CUU Privacy Coordinators are responsible for addressing the CUU activities required by this step.

Unit ISMs and Unit Privacy Coordinators are responsible for addressing the unit activities required by this step. Unit information will be made available to the CUU ISM and CUU Privacy Coordinator.

Outcomes for this Step:

CUU Business Impact Analysis (BIA). See 4-OP-H-25.12 IT Disaster Recovery Standard for additional requirements related to the BIA
CUU Current Risk Profile
CUU Target Risk Profile

Step 3: Select

Select an initial set of baseline security controls based on the data classification levels as defined by FSU’s IT Security and Privacy policies and associated standards.

This step involves selecting, tailoring, and documenting the security controls necessary to protect the inventory of unit data and IT Assets commensurate with the risk to organizational operations and assets, individuals, and other organizations.

Unit DDDHs and CUU DDDHs are responsible for ensuring and approving their Risk Management Plan.

CUU ISMs and CUU Privacy Coordinators are responsible for addressing the CUU activities required by this step.

Unit ISMs and Unit Privacy Coordinators are responsible for addressing the unit activities required by this step. Unit information will be made available to the CUU ISM and CUU Privacy Coordinator.

Outcome of this Step:

Risk Management Plan – Units/CUUs must identify risks, remediation strategies, residual risks, prioritized actions necessary, controls, timeframes, and resources.
CUU Risk Register identifying risks and associated documentation. The CUU Risk Register shall be made available to ISPO upon request.

Step 4: Implement

Implement controls and describe how the controls support the Risk Management Plan.

Controls should be documented including:

Description of the controls required to address priority risks
Primary staff responsibilities for each
Estimated financial costs, time and staffing resources required for implementation of controls
Start and completion timeframes
Metrics to evaluate progress and success

Controls shall be implemented to remediate risks. Risks addressed by one of the following strategies require additional requirements:

Mitigation – implement identified control
Transference – shift the risk to another party
Acceptance – take responsibility for the identified risk

CUU ISMs and CUU Privacy Coordinators are responsible for addressing the CUU activities required by this step.

Unit ISMs and Unit Privacy Coordinators are responsible for addressing the unit activities required by this step. Unit information will be made available to the CUU ISM and CUU Privacy Coordinator.

Outcome of this Step:

Implemented controls
Unit/CUU DDDH acknowledges responsibility for any risks that are mitigated, transferred, or accepted (rather than remediated). An exception must be obtained from the CISO for any risk accepted by the Unit/CUU DDDH, in accordance with the 4-OP-H-25.20 Request for Exception to Security Policy.

Step 5: Assess

Assess controls to determine if they are implemented correctly, operating as intended and producing the desired outcomes with respect to satisfying the security and privacy requirements identified in FSU’s IT Security and Privacy policies and standards.

Controls must be reviewed to ensure they appropriately address risks commensurate with their priority to organizational operations and assets, individuals, and other organizations. Controls addressing protection of High Risk or Moderate Risk Data and IT Assets are high priority and take precedence over lower priority risk management activities.

CUU ISMs and CUU Privacy Coordinators are responsible for addressing the CUU activities required by this step.

Unit ISMs and Unit Privacy Coordinators are responsible for addressing the unit activities required by this step. Unit information will be made available to the CUU ISM and CUU Privacy Coordinator.

Outcome of this Step:

Actions to remediate deficiencies in implemented controls
Updated Risk Management Plan
Updated Current Risk Profile and Target Risk Profile

Step 6: Authorize

Provide organizational accountability by requiring a senior management official to determine if security and privacy risks (including supply chain risk) to organizational operations and assets, individuals or other organizations is acceptable.

The CUU DDDH must review CUU Risk Management Plans, authorize mitigation strategies and accept responsibility for any risks that are not remediated (risks are mitigated, accepted, or transferred). The CISO must be notified of any security and compliance risks that result in university-wide cybersecurity vulnerabilities and a 4-OP-H-25.20 Request for Exception to Security Policy may be required.

The CISO is responsible for addressing any security and compliance risks that result in university-wide cybersecurity vulnerabilities and for approval of any submitted Requests for Exception to Security Policy.

Outcome of this Step:

Authorized Risk Accountability

Step 7: Monitor

Monitor systems and the associated controls on an ongoing basis to include assessing control effectiveness, documenting changes to the system and environment of operation, conducting risk assessments and impact analyses, and reporting the security and privacy posture of the system.

This step maintains ongoing situational awareness in support of risk management planning and decision-making.

Unit ISMs and Unit Privacy Coordinators are responsible for monitoring and addressing necessary updates to the Risk Management Plan. Unit information will be made available to the CUU ISM and CUU Privacy Coordinator.

CUU ISMs and CUU Privacy Coordinators are responsible for addressing necessary updates to the CUU Risk Management Plan.

Cybersecurity Readiness Scorecard
The Information Security and Privacy Office (ISPO) will partner with CUUs to complete a Cybersecurity Scorecard including Key Performance Indicators and metrics to evaluate their overall cybersecurity posture. This includes compliance with information security and privacy policies and the security products provided by the university and its technology environment. CUUs will be ranked using a scoring system where the lowest scores represent a more capable cybersecurity posture, and higher scores identify opportunities for improvement. ISPO will also provide CUUs with their scores and ranks relative to their CUU peer organizations. University executive leadership will be provided periodic reports that include all CUUs' scoring and their relative peer rankings on an ongoing basis.

Outcome of this Step:

Updates to Risk Management Plans as needed
Cybersecurity Readiness Scorecard

Incident Reporting

Incidents occur when an FSU student, staff, contractor, or faculty member violates this Standard, specific legal requirements, or contractual obligations. It is the responsibility of each FSU student, staff, contractor, or faculty member to immediately report suspected or confirmed Information Security and Privacy Incidents to the Chief Information Security Officer (CISO) at security@fsu.edu. The CUU ISM or University Unit ISM must inform the CISO of any suspected or confirmed incidents within 24 hours. Refer to the 4-OP-H-25.11 IT Incident Response Standard for more information.