GOVERNANCE, RISK, AND COMPLIANCE (GRC)
GRC Mission
At The Pennsylvania State University, the mission of Governance, Risk, and Compliance (GRC) is to safeguard the confidentiality, integrity, and availability of university data and systems. We achieve this by delivering consistent and actionable risk assessments and providing guidance to mitigate identified risks. Through these efforts, we aim to minimize the impact of cybersecurity incidents on the Penn State community while fostering a culture of cybersecurity that is built on awareness and adherence to cybersecurity best practices.
GRC Vision
At The Pennsylvania State University, the vision of Governance, Risk, and Compliance (GRC) is to establish a culture of cybersecurity awareness and practice continuous improvement across the PSU. We are a trusted partner in safeguarding Penn State’s information assets by implementing a structured risk assessment program. Through collaboration with university stakeholders, GRC delivers effective risk evaluations, ensures regulatory compliance, maintains actionable security metrics, and offers guidance on risk mitigation. We empower the Penn State community to thrive in a secure, dependable digital environment that supports the University’s mission of teaching, research, and service.
WHY DO A RISK ASSESSMENT?
A Risk Assessment helps keep your unit and Penn State as a whole compliant:
- Penn State Policy AD95, Information Assurance and IT Security Policy, requires risk assessments based on the Information Security Risk Management Standard.
- They must be performed where required by regulations with which the University must comply, including, but not limited to, HIPAA, GLBA, and PCI.
- Risk Assessments identify security gaps, increase compliance, and help us determine the overall security posture of a system/service. Additionally, they help us aggregate risk to better understand our strengths and weaknesses and aid in prioritizing resources to protect Penn State’s most valuable information assets.
WHAT DO WE CURRENTLY ASSESS?
A Risk Assessment is required on the following types of information systems and services:
Level 3 (High) and Level 4 (Restricted) systems or services and Mission critical systems and services
Full Risk Assessment
A comprehensive risk analysis conducted on a defined scope—such as a specific technology, infrastructure, process, or department—evaluated against Penn State’s institutional security standards, regulatory requirements, and risk tolerance. This assessment supports compliance with laws and regulations such as HIPAA, GLBA, and other applicable federal and state mandates. It leverages recognized security frameworks, including NIST SP 800-53, NIST Cybersecurity Framework (CSF), ISO/IEC 27001/31000, and CMMC, to ensure a consistent, thorough, and defensible evaluation of the university’s security posture.
Estimated Time: 1-2 months
Systems or services requiring a complete or provisional Authority to Operate (ATO)
ATO Compliance Review
Assess a defined-scope technology, infrastructure, process, or department against our expectations for Penn State AD95 Security posture.
Estimated Time: 2-4 weeks.
Third-Party or vendor-managed systems that store, process, or transmit institutional data especially if they involve integration with internal systems or access to sensitive data
Request to Procure (RTP) Technology Review – Third-Party Vendor Security and Compliance Standard
Used for reviewing initial risk before purchase (may include software requests, contract reviews, or participation in an RFP process).
Estimated Time: 2-4 weeks
WHEN ARE RISK ASSESSMENTS REQUIRED?
Information Security Risk Management Standard
If your project involves:
- Level 3 (High) or Level 4 (Restricted) data
- Mission-critical systems or applications
- Vendor-hosted or cloud-based platforms
- Research involving sensitive or regulated data
- Tools requiring integration with university systems
- A complete or provisional Authority to Operate (ATO)
COMPLETE A RISK ASSESSMENT INTAKE FORM