IT Risk Assessment Policy:  IR



IT risk assessments are designed to assess the security posture of a system or application with the purpose of management’s awareness of the major security risks in the SPC infrastructure and recommend mitigation plans of these risks. 

The principal goal of a risk management process is to protect the College and its ability to perform its mission. Therefore, the risk management process should not be treated primarily as a technical function carried out by the IT experts who operate and manage the IT system, but as an essential management function of the College. 

Risk assessments will be conducted annually and/or on an ad-hoc basis in response to specific events such as when major modifications are made to the system’s environment or in response to a security incident or audit.



The SPC Risk Assessment Policy applies to all stakeholders involved in preserving the confidentiality, integrity and availability of information technology resources.

Stakeholders include, but are not limited to, SPC administration, application administrators, system administrators, data owners, users, and information security personnel.



Appropriate security levels and data control requirements must be determined for all information technology resources based on SPC confidentiality, integrity and availability requirements for the information, as well as its criticality to SPC’s mission and legal requirements. 

Information technology risk analysis and management processes require gathering a broad range of data on information technology assets and potential threats.  The data collection phases of the risk management process include an information technology asset inventory consisting of server build documentation, network penetration tests, logs, patch histories and other vulnerability assessment tools for essential assets. 

The ISO shall periodically (at least annually) complete or commission a risk assessment of the information resources considered essential to the College's critical mission and functions, and shall recommend, to the owners and custodians of these resources, appropriate risk mitigation measures, technical controls, and procedural safeguards.

The assessment may incorporate self-assessment questionnaires, vulnerability scans, scans for confidential information, and penetration testing. Findings and recommendations shall be provided to the owners and custodians of the information assets and shall also be presented to the VP for Business Affairs for sharing with the president as appropriate. 

The key roles of personnel who are responsible for the protection of SPC information technology resources and participate in the risk management/assessment process can be found in the SPC Information Security Program at http://[LINK TO INFORMATION SECURITY PROGRAM]  Roles include Data Owner or designated representative(s), Data Custodian(s), Users, Information Security Officer (ISO), and Information Resources Manager.


Related Policies, References and Attachments:

An index of approved SPC-IS policies can be found on the SPC Policies website at  The SPC Information Security Program and SPC Information Security User Guide are also available on the Information Technology Services Policies website.

DIR Security Controls Catalog Control Group: PM-9


Approved by:  Executive Council, April 4, 2019

Next Review: October 1, 2020