• Home
  • Security Procedure: Risk and Vulnerability Assessments

Security Procedure: Risk and Vulnerability Assessments

Procedure
Purpose: 

The procedure describes a framework for the assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic and paper data held by units of the University and outlines those items normally assessed in a University conducted Risk and Vulnerability Assessment.

Applies to: 

This procedure applies to all units connected to the University network. The selection of units shall be prioritized by the Information Security Officer based on regulatory requirements, and identification of need due to business activities.

Campus: 
Edwards
Lawrence
Juniper Gardens
Parsons
Yoder
Topeka
Policy Statement: 

General Policy Provisions

The University utilizes a modified version of the OCTAVE methodology for assessing risks to information systems. The following items shall be assessed on a regular basis in all units covered by this policy for their technology environment.

  1. Survey of administrative security measures
    1. Security awareness training
    2. Security Strategy
    3. Security Management
    4. Security Policies
    5. Collaborative security management
    6. Contingency planning/Disaster recovery
    7. Physical security
    8. Authentication and authorization
    9. Incident management
    10. General staff practices
    11. Information management
  2. Assessment of information management practice
  3. Inventory of information systems

For HIPAA covered components, the above items will be augmented by an enhanced comprehensive risk assessment to include business practices.

Consequences: 

Units in violation of this policy are subject to the loss of network access privileges and potential disciplinary action for appropriate personnel.

Contact: 

Office of the Chief Information Officer
1001 Sunnyside Avenue 
Lawrence, KS 66045
785-864-4999
kucio@ku.edu

Approved by: 
Chief Information Officer
Approved on: 
Friday, April 1, 2005
Effective on: 
Saturday, April 2, 2005
Review Cycle: 
Annual (As Needed)
Keywords: 
risk assessment, vulnerability, compliance, RVA
Change History: 

01/26/2022: Updated the contact section.
02/24/2015: Updated to reflect current practice.

Information Access & Technology Categories: 
Privacy & Security

Can't Find What You're Looking For?
Policy Library Search
KU Today
One of 34 U.S. public institutions in the prestigious Association of American Universities
Nearly $290 million in financial aid annually
44 nationally ranked graduate programs.
—U.S. News & World Report
Top 50 nationwide for size of library collection.
—ALA
23rd nationwide for service to veterans —"Best for Vets," Military Times