services

Office of Information Security

Risk Assessment

Risk Assessments help identify security gaps, increase compliance, and determine the overall security posture of Penn State.

why

WHY DO A RISK ASSESSMENT?

A Risk Assessment helps keep your unit and Penn State as a whole compliant:

  1. Penn State Policy AD95, Information Assurance and IT Security Policy, requires risk assessments based on the Information Security Risk Management Standard.
  2. They must be performed where required by regulations with which the University must comply, including, but not limited to, HIPAA, GLBA, and PCI.
  3. Risk Assessments identify security gaps, increase compliance, and help us determine the overall security posture of a system/service. Additionally, they help us aggregate risk to better understand our strengths and weaknesses and aid in prioritizing resources to protect Penn State’s most valuable information assets.

when

WHAT DO WE CURRENTLY ASSESS?

A Risk Assessment is required on the following types of information systems:

  • Level 3 (High) and Level 4 (Restricted) systems or services
  • Mission critical systems or services
  • Complete and provisional ATOs

how

WHEN DOES A RISK ASSESSMENT NEED TO BE COMPLETED?

The chart below summarizes requirements for risk assessments by data classification level:

Information Classification LevelRequired or RecommendedRisk Assessment FrequencyAssessment Performed by
Restricted
(Level 4)
RequiredAnnualOIS and Unit delegate(s)
High
(Level 3)
RequiredAnnualOIS and Unit delegate(s)
Moderate
(Level 2)
RecommendedEvery 4 YearsUnit delegate(s)
Low
(Level 1)
RecommendedEvery 4 YearsUnit delegate(s)

A member of the Risk Assessment team will contact units with Level 3 and 4 data to schedule the risk assessment. Units with Level 1 and 2 data who have questions regarding risk assessments can contact OIS at security@psu.edu or visit the Information Security Risk Management Standard.

Skip to toolbar