UVa Seal

Policy: Information Technology Security Risk Management Program 

Date: 11/18/04 Policy ID: IRM-003 Status: Final

Policy Type: University
Contact Office: Information Security, Policy, and Records Office
Oversight Executive: Chief Information Officer
Applies To: Academic Division, the Medical Center, the College at Wise and University-related Foundations.
Table of Contents: 

Policy Statement

Reason for Policy: In today’s advanced technological world, many security threats exist to IT assets, upon which the University has become dependent to carry on its day to day functions. Given the serious damage that could result if these assets were lost or in other ways compromised, effectively managing security risks is a critical task for the University and its departments.

This policy establishes expectations for all departments to participate in the University’s Information Technology (IT) Security Risk Management Program. The program provides insight into existing risks within a given IT environment and strategies for reducing or eliminating those risks.

Policy Summary: 
Definition of Terms in Statement: Risk Management: The total process to identify, control, and manage the impact of potential harmful events, commensurate with the value of the protected assets. Risk management includes impact analysis, risk assessment, and continuity planning.

IT Impact Analysis: The identification of information, computing hardware and software, and associated personnel that require protection against unavailability, unauthorized access, modification, disclosure or other security breaches.

IT Risk Assessment: The determination and evaluation of threats to the IT resources identified through an impact analysis and the development of a plan to address any unacceptable risks.

IT Continuity Planning: The development of a plan for restoration of IT resources identified in the impact analysis and for interim manual processes for continuing critical departmental functions during the restoration process.

Policy Statement: 

The management of each University department is required to complete the process outlined in the University's Information Technology Security Risk Management Program at least once every three years, when there are significant changes to departmental IT assets, or when there are significant changes to the risk environment. The department head will sign off on the deliverables from this process and file these deliverables in the University's central repository for these documents.


An overview of the IT Security Risk Management Program, along with procedures, templates, and tools are posted on the University’s website at http://www.virginia.edu/informationsecurity/riskmanagement.


Related Information: In addition to being a widely accepted effective security practice, IT security risk management is required by state and federal regulations. See:

Gramm-Leach-Bliley Act of 1999, Standards for Safeguarding Customer Information; Final Rule – http://www.business.ftc.gov/documents/bus54-financial-institutions-and-customer-information-complying-safeguards-rule.

Health Insurance Portability and Accountability Act of 1996 Health Insurance Reform: Security Standards; Final Rule – http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/index.html.

Policy Background: 

The University has an IT Security Risk Management Program, which includes information, templates, and tools to complete an impact analysis for IT assets managed by a department, a risk assessment for those assets, and continuity planning for events that could damage the assets or otherwise make them unavailable. Completing such a risk management process provides insight into existing risks within a given IT environment and strategies for reducing or eliminating those risks.

Major Category: Information Resource Management
Category Cross Reference: 
Next Scheduled Review: 04/11/17
Approved By, Date: Executive Vice President and Chief Operating Officer, 11/18/04
Revision History: Updated 5/15/14, 9/5/13, 4/11/11. Reviewed 11/18/2007. This is the first version of this policy.
Supersedes (previous policy):