Risk Assessment Policy

Revision Date:2009-04-28

Revision Number:1.1

Policy Information:


1.0      Revision History


Northern Arizona University 



Document No. 


Effective Date 

May 28, 2009 

Revision Date 

May 28, 2009 

Revision No. 

Rev 1.1 

Producer:  Information Technology Services,  

Harper P. Johnson, Director of Information Security 

2.0          Purpose

The purpose of the Risk Assessment Policy is to authorize the NAU Director of Information Security (IS) to perform periodic information security risk assessments for the purpose of determining areas of vulnerability, and to initiate appropriate remediation 


3.0      Definitions

Information – Data elements, whether in part or combined, that are of value to the University, such as student or employee records, intellectual property, research data, or other information. 

Information Systems – All computer and network systems owned by and/or administered by the University. This includes all computing platforms of all sizes from personal digital assistants (PDAs) to mainframe computers, all peripheral devices and media, and all data contained on those systems. 

Risks -Those factors that could affect the security, availability, and integrity of the University’s key information assets and systems. 

University Administrators - For the purposes of this Policy are those individuals responsible for campus organizational units (e.g., deans, department chairs, principal investigators, directors, or managers) or individuals having functional ownership of data.  


4.0      Applicability

4.1 This Policy applies to all Northern Arizona University faculty, staff, students, and University Affiliates. 

4.2  This Policy applies to all information systems owned by and/or administered within the University. This includes all computing platforms of all sizes from personal digital assistants (PDAs) to mainframe computers, all peripheral devices and media, and all data contained on those systems.  

4.3 This Policy applies to data in any tangible form whether it is written, printed, taped, or stored in hard copy or electronic form.   


5.0      Policy

5.1      The IS program is to be based on risk assessment and developed in consideration of university priorities, staffing, and budget. 

5.2      Risk assessments must identify, quantify, and prioritize risks against criteria for risk acceptance and objectives relevant to the university. The results are to guide and determine the appropriate management action and priorities for managing information security risks and for implementing controls selected to protect against these risks. 

5.3      Risk assessment must include the systematic approach of estimating the magnitude of risks (risk analysis) and the process of comparing the estimated risks against risk criteria to determine the significance of the risks (risk evaluation).  

5.4      Risk assessments are to be performed periodically to address changes in the security requirements and in the risk situation, e.g. in the assets, threats, vulnerabilities, impacts, the risk evaluation, and when significant changes occur.  

5.5      Risk assessments are to be undertaken in a methodical manner capable of producing comparable and reproducible results. The information security risk assessment should have a clearly defined scope in order to be effective and should include relationships with risk assessments in other areas, if appropriate. 


6.0          Roles & Responsibilities

President of the University: The President support and authorizes this Policy for University-wide implementation.

University Administrators: University Administrators have a responsibility to ensure that this Policy is supported with their organizational units.

Director of Information Security: The Director of Information Security is responsible for developing and implementing procedures and guidelines necessary to implement this Policy 

7.0          Compliance

Persons who are subject to this Policy may also be subject to the provisions of applicable NAU Personnel Policies, the student employment handbook, and Arizona Board of Regents policies, including provisions for discipline for violation of this Policy, as well as applicable legal sanctions. 


8.0     References

Arizona Board of Regents:  Information Security Policy: 



Arizona Board of Regents: Information Security Guidelines: 



NAU Information Security Policy: http://www5.nau.edu/its/policies/#security  


Policy Documents: