KUMC Information Security Risk Assessment Policy
The purpose of this policy is to establish a process to manage risks to the University of Kansas Medical Center (KUMC) that result from threats to the confidentiality, integrity and availability of KUMC data and information systems.
This policy applies to all KUMC units and all affiliates connected to the KUMC network.
- It is the policy of KUMC to conduct thorough and timely risk assessments of the potential threats and vulnerabilities to the confidentiality, integrity, and availability of its confidential and proprietary information, and to develop strategies to efficiently and effectively mitigate the risks identified in the risk assessment process as an integral part of its information security program.
- Risk assessments shall be conducted at least every 2 years for information systems that store, process, or transit data classified as Moderate Risk or High Risk under the KUMC policy on Data Classification, or more frequently where designated by KUMC’s Chief Information Security Officer (CISO).
- The KUMC CISO is responsible for developing and implementing risk assessment procedures to facilitate completion of the risk assessment process by all KUMC units. All KUMC units are responsible for assuring that periodic risk assessment is conducted in accordance with this policy and KUMC risk assessment procedures. KUMC’s IT Security Office will maintain a digital archive of risk assessment reports for each area.
- KUMC’s IT Security Office, in collaboration with KUMC’s Privacy Office will perform and document a periodic institutional security risk assessment to address the requirements of the Health Insurance Portability and Accountability Act and its implementing regulations.
- Risks identified by a risk assessment must have security measures implemented to reduce risks and vulnerabilities to a reasonable and appropriate level to provide for data confidentiality, integrity and availability, and to protect against any reasonably anticipated threats or hazards.
- Exception to KUMC information security policies or procedures will require review of the outcome of the risk assessment by the CISO to determine future actions. Deviations will be documented by the CISO or designee and be approved by the applicable Vice Chancellor.
- All units must conduct a risk assessment when implementing a new technology product, project or service. Where indicated by the KUMC Risk Assessment Procedure, implementation of a new technology product, project or service shall require risk assessment by Information Security, in conjunction with the Privacy Office, Office of General Counsel and/or Purchasing.
Members of the KUMC community who are found to have violated this policy, are subject to disciplinary action appropriate to their status as faculty, staff, student employees, or students.
Chief Information Security Officer 913-588-0966
2016-06-30 new posting