University Policies and Procedures Manual (previously Business Policies and Procedures Manual)

Information Security Risk Assessment

UPPM 87.25

For more information contact:
Information Technology Services

1.0 Overview and Purpose
- 1.1 Information Assurance Policies Generally
- 1.2 Specific Policy Overview and Purpose
2.0 Applicability
3.0 Roles and Responsibilities
4.0 Requirements
5.0 Training

1.0 Overview and Purpose

1.1 Information Assurance Policies Generally

The purposes of the information assurance policies in UPPM Chapter 87: Information Technology and Security are to:

Set requirements to ensure the privacy, confidentiality, integrity, and availability of Washington State University (WSU) data;
Support institutional goals and strategies with appropriate methods for administratively, technically, and operationally protecting data; and
Define the criteria WSU follows to meet requirements for protecting data, which are determined by Information Owners.

The policies in this chapter comply with Federal Information Processing Standards (FIPS 199), which are intended to help organizations achieve a common level of quality and interoperability in information technology (IT) by requiring categorization of systems as low-impact, moderate-impact, or high-impact for the stated security objectives of confidentiality, integrity, and availability.

To determine the potential consequence of a loss event, the Federal Information Processing Standards:

Define WSU Information Owners’ impact categorization rating (Low, Moderate, or High);
Dictate which security controls are mandatory based upon the categorization level;
Define the strength, frequency, and formalization of those controls; and
Influence audit burden and continuous monitoring rigor.

See UPPM 87.01 for definitions, general information, and violations related to this policy, as well as additional information regarding roles and responsibilities.

1.2 Specific Policy Overview and Purpose

Regular and systematic assessment for potential threats and vulnerabilities, including identifying, analyzing, and prioritizing risks, protects WSU’s information systems and data. This policy sets forth roles, responsibilities, and requirements for information security risk assessments so that appropriate safeguards can be implemented and maintained, thereby strengthening the security of WSU’s IT environment.

2.0 Applicability

This policy applies to all WSU system users who have contact with, or potentially may have contact with, WSU data, applications, and computing resources.

Security control exceptions to policy statements in UPPM Chapter 87 are managed and maintained in accordance with UPPM 87.23.

3.0 Roles and Responsibilities

3.1 Chief Information Officer

The Chief Information Officer (CIO) of WSU, or designee, is responsible for administering this policy and reviewing it on an annual basis.

3.2 Information System Owners

Information System Owners, or their delegates, are responsible and accountable for developing appropriate Standard Operating Procedures (SOPs) for this policy’s implementation.

3.3 Office of Information Security and Assurance (OISA)

WSU’s Office of Information Security and Assurance (OISA) shall maintain the standard (PDF) associated with this policy and provide guidance for the associated procedures for the implementation of this policy (see examples (PDF)).

Note: While all units are required to adhere to the standard established by OISA (NIST SP 800-53), procedural examples for implementation are optional.

4.0 Requirements

Information systems and the information collected, processed, stored, and transmitted by the systems are to be categorized in accordance with UPPM 87.53 and 87.15.

Security categorization results, including supporting rationale, are to be documented in the system security plan for the information system in accordance with UPPM 87.15.
The Authorizing Official, or their delegates, must review and approve the security categorization decision.

WSU Information System Owners, or their delegates, must identify the systems and system components that are critical to WSU’s mission and business objectives in accordance with UPPM 87.15.

An assessment of risk must be conducted that includes the likelihood and magnitude of probable harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it collects, processes, stores, or transmits. The risk assessment is to be conducted:

Annually;
Whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities); or
Whenever other conditions arise that may impact the security posture of the system.

Risk assessment results are to be integrated into WSU’s enterprise risk management program.

Risk assessment results are to be documented in a risk assessment report, and the risk assessment results are to be disseminated to:

Information Owners, or their delegates;
Information System or Service Owners, or their delegates;
WSU OISA; and
WSU Office of Compliance and Risk Management (CRM).

WSU Information System Owners must respond to findings from security and privacy assessments in accordance with WSU’s risk tolerance.

5.0 Training

See UPPM 87.21 for training requirements related to UPPM Chapter 87.

In addition to the requirements in UPPM 87.21, Information System Owners are responsible for ensuring that users receive appropriate information security and privacy training commensurate with their roles, responsibilities, and authorized access to information systems under the Information System Owner’s authority.

_______________________
Revisions: March 2026 (Rev. 654); July 2020 – new policy (Rev. 552)