Introduction:

Rockhurst University recognizes the importance of conducting risk assessments to identify and evaluate risks to the security, confidentiality, and integrity of nonpublic personal information (NPI) and student FERPA educational records. This Risk Assessment and Management Process outlines the steps involved in conducting effective risk assessments to ensure the protection of sensitive data.

Scope:

This process applies to all individuals and entities associated with Rockhurst University who handle or have access to systems and data containing NPI and student educational records, including faculty, staff, students, contractors, and any external parties with access to university systems or sensitive data.

Risk Assessment Objectives:

The primary objectives of Rockhurst University's Risk Assessment and Management Process are as follows:

  1. Identify and assess risks to the security, confidentiality, and integrity of NPI and student FERPA educational records.
  2. Evaluate the potential impact and likelihood of identified risks.
  3. Prioritize risks based on their level of significance and potential impact.
  4. Develop appropriate risk mitigation strategies and controls.
  5. Monitor and review risks periodically to ensure ongoing effectiveness of mitigation measures.

Risk Assessment Process:

The risk assessment process consists of the following steps:

  1. Establish the Risk Assessment Team:
  1. Designate a cross-functional team responsible for conducting risk assessments. The team may include representatives from information security, IT, data custodians, legal, compliance, and other relevant departments.
  2. Ensure that team members possess the necessary expertise and knowledge of the university's systems, data, and regulatory requirements.
  1. Identify Assets and Data:
  1. Identify and document the assets and systems that store, process, or transmit NPI and student FERPA educational records.
  2. Classify the sensitivity and criticality of the identified assets and data.
  1. Identify Threats and Vulnerabilities:
  1. Identify and assess potential threats and vulnerabilities that could impact the security, confidentiality, and integrity of NPI and student educational records.
  2. Consider both internal and external threats, including malicious activities, natural disasters, human errors, and technological failures.
  3. Evaluate existing controls and safeguards to determine their effectiveness in mitigating identified threats and vulnerabilities.
  1. Assess Risk Impact and Likelihood:
  1. Evaluate the potential impact and likelihood of each identified risk. Consider the potential harm, financial impact, reputational damage, legal and regulatory consequences, and the likelihood of occurrence.
  2. Assign a risk rating or score to each identified risk based on its impact and likelihood.
  1. Prioritize Risks:
  1. Prioritize risks based on their risk rating or score.
  2. Focus on risks with the highest impact and likelihood, as they pose the most significant threat to the security, confidentiality, and integrity of NPI and student educational records.
  1. Develop Risk Mitigation Strategies:
  1. Develop risk mitigation strategies and controls to address the identified risks.
  2. Determine the most appropriate and feasible controls, taking into account cost-effectiveness, regulatory requirements, and organizational capabilities.
  3. Document the recommended controls and their implementation timelines.
  1. Implement and Monitor Controls:
  1. Implement the recommended controls in accordance with the defined timelines.
  2. Establish monitoring mechanisms to regularly assess the effectiveness of implemented controls.
  3. Monitor changes in the risk landscape and adjust controls as necessary.
  1. Review and Update:
  1. Conduct periodic reviews of the risk assessment process to ensure its effectiveness and relevance.
  2. Update the risk assessment documentation to reflect changes in the university's systems, data, or regulatory requirements.

Documentation and Reporting:

  1. Maintain comprehensive documentation of the risk assessment process, including identified risks, risk ratings, mitigation strategies, and control implementation.
  2. Generate reports summarizing the results of risk assessments, including prioritized risks and recommended mitigation actions, for review by management, stakeholders, and auditors.

Training and Awareness:

  1. Provide training and awareness programs to educate employees and relevant individuals about the risk assessment process, their roles and responsibilities, and the importance of protecting NPI and student educational records.

Policy Review and Updates:

Periodically review and update the Risk Assessment and Management Process to align with evolving threats, technologies, and regulatory requirements.

By following this Risk Assessment and Management Process, Rockhurst University aims to proactively identify and mitigate risks to the security, confidentiality, and integrity of NPI and student educational records, ensuring the protection of sensitive data and compliance with applicable regulations.