services

Information Security

Risk Assessment

Risk Assessments help identify security gaps, increase compliance, and determine the overall security posture of Penn State.

why

A Risk Assessment helps keep your unit and Penn State as a whole compliant:

Penn State Policy AD95, Information Assurance and IT Security Policy, requires risk assessments based on the Information Security Risk Management Standard.
They must be performed where required by regulations with which the University must comply, including, but not limited to, HIPAA, GLBA, and PCI.
Risk Assessments identify security gaps, increase compliance, and help us determine the overall security posture of a system/service. Additionally, they help us aggregate risk to better understand our strengths and weaknesses and aid in prioritizing resources to protect Penn State’s most valuable information assets.

when

A Risk Assessment is required on the following types of information systems:

how

The chart below summarizes requirements for risk assessments by data classification level:

Information Classification Level	Required or Recommended	Risk Assessment Frequency	Assessment Performed by
Restricted (Level 4)	Required	Annual	Unit delegate(s) (IS upon request)
High (Level 3)	Required	Annual	Unit delegate(s) (IS upon request)
Moderate (Level 2)	Recommended (Required if Critical IT, Mission- or Business-Critical)	Every 4 Years (Annual, if Critical IT, Mission- or Business-Critical)	Unit delegate(s)
Low (Level 1)	Recommended (Required if Critical IT, Mission- or Business-Critical)	Every 4 Years (Annual, if Critical IT, Mission- or Business-Critical)	Unit delegate(s)

Units who have questions regarding risk assessments, including those with Level 1 or Level 2 data, can contact IS at ois-risk@psu.edu or visit the Information Security Risk Management Standard.

how