Document Name: NCSA Risk Management Program
Version: 1.1
Accountable: James Eyrich
Authors: Alex Withers

Reviewed: Nov 6, 2023
Approved:  Dec 20, 2019

Purpose

Risk Management Program to conduct thorough and timely risk assessments of the potential threats and vulnerabilities to the confidentiality, integrity, and availability of NCSA's computational resources.  This program enables NCSA to develop strategies to efficiently and effectively mitigate the risks identified in the assessment process. Information produced during the risk assessment will be used to determine and manage security controls for NCSA's computational resources.

Scope

This risk management program applies to all NCSA resources that do not fall under a separate risk management program (i.e. ACHE).

Standards

The risk management program consists of two processes:

  1. Risk Assessment - Identifies and prioritizes the risks to information system security and determines the probability of occurrence and the resulting impact for each threat/vulnerability pair identified given the security controls in place.
  2. Risk Mitigation - a process that prioritizes, evaluates, and implements security controls that will reduce or offset the risks determining the risk assessment process to satisfactory levels within an organization given its mission and available resources.


Risk Assessment Frequency

A risk assessment will be performed periodically by the NCSA Security Office. Exceptions to this include (i) substantial infrastructure/environment changes that would require a new impact analysis and (ii) a security incident that warrants reevaluation of risks.

Risk Assessment Components

A risk assessment is conducted as per the documented NCSA Risk Assessment and Mitigation procedure. Risks will be recorded in the NCSA risks register, and risk assessments will be saved indefinitely.

NCSA implements security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to:

  1. Ensure the confidentiality, integrity, and availability of all NCSA computational resources and
  2. Protect against any reasonably anticipated threats or hazards to the security or integrity of NCSA's data.

Risk Management Process


The risk assessment is part of an on-going process to understand and manage risk. The broader process contains the following steps as per the documented NCSA Risk Assessment and Mitigation procedure:

Privacy

All data from the risk assessment is kept confidential and not shared without written approval from the NCSA Security Office.

Consequences

All workforce members are expected to fully cooperate with all persons charged with doing risk management work.