Risk Management

It is important that every department assess IT security periodically. To aid in this effort, the IT Security Office (ITSO) has created a risk management framework to provide consistent definitions, processes and reports. This will allow departments, and the campus as a whole, to better understand IT-related risk and develop both focused and broad steps to address that risk. This framework is designed with existing and draft policies in mind to provide a minimal cost risk assessment option for departments.

CU-Boulder Risk Management Framework

This document should be reviewed by management and technology leads. The IT Security Office is happy to meet with departments to discuss risk assessment.

The first step for each department is to inventory and classify information assets. To assist in this step, the ITSO has developed guidance documents and templates:

CU-Boulder Guidance on Information Asset Classification

Additional Information

More information about security awareness topics, CU-Boulder campus security services and projects can be found on the IT Security page.

Source material and additional information on IT Risk Management:

• NIST 800 series publications
• CERT OCTAVE
• Educause Risk Assessment and Analysis Resources
• U Virginia IT Risk Management
• Microsoft Risk Management Guide