Risk Management | St. George's University

Risk Management

August 3, 2018

Purpose

The purpose of this policy is to address organizational risk through St. George’s University, University Support Services, and any other operating units of Medforth Global Healthcare Education Group LP identified by management (collectively, the Enterprise) Risk Management activities. Risk Management identifies, tracks, and reports on all security risks across the Enterprise.

Scope

This policy applies to all Enterprise controlled entities, including, but not limited to, all Enterprise faculty, staff, students, and third parties.

Background

In this context, risk is the measure of the extent to which the Enterprise is threatened by a potential circumstance of event. The risk associated with a potential event is a function of: (i) the adverse impacts that would arise if that circumstance or event occurs, (ii) the event’s likelihood of occurrence, and (iii) the Enterprise’s vulnerability to that event.

The concept of cybersecurity risk includes operational risk to information and technology assets that may affect the availability, integrity or confidentiality of information or information systems. This policy is designed to enable effective risk management across the Enterprise.

Roles and Responsibilities

The Enterprise must create and maintain the role of a Risk Management Team that is responsible for collecting input from periodic risk assessments, the Enterprise’s threat and vulnerability management activities, and any other Enterprise processes to identify all security risks facing the organization. Taking into account the Enterprise’s business needs, the Risk Management Team must also work in collaboration with the Cyber Security Committee to define the Enterprise’s organizational risk tolerance. In addition to identifying sources of security risk, the team must track previously identified risks in a risk register.

Policy Statement

Risk management must be an integral part of the institution’s decision-making process for all areas of information security and must be incorporated within the strategic and operational planning processes at all levels across the institution.

Risk assessments are a vital part of any risk management activities, and risk assessment processes must be defined prior to any assessment. Risk assessments must be conducted on new projects, systems, and vendors to ensure that exposure to risks from new projects are acceptable and formally approved before onboarding. Risk assessments must also be performed periodically for existing technologies as well, to confirm that the Enterprise’s entire threat landscape and risk profile are understood.

The Risk Management Team must also collect risk information from the Enterprise’s broader security processes. This includes information provided from threat intelligence and vulnerability management activities, and lessons learned from past incidents or incident simulations.

Any identified risks must be documented, analyzed and reported, and a risk register or inventory of all identified risks must be maintained. The contents in this register should guide the Risk Management Team in advising the Cyber Security Committee and help provide a complete picture of the Enterprise’s risk profile.  Risk assessment results must be used to determine potential security improvements that align with Enterprise’s business needs and risk tolerance.

Each identified risk must be analyzed to understand its potential impact and to provide input and guidance for deciding on the most appropriate form of remediation or mitigation. Upon completion of the analysis phase, the team that has performed the analysis will recommend steps to remediate, mitigate, or accept sources of risk.

The risk register will guide efforts to remediate or mitigate risks with the intent to reach acceptable levels of risk for any project, system, or vendor. Final decisions on risk mitigation plans or acceptance of residual risk must be made either by the Cyber Security Committee, or by the Risk Management Team if delegated, and these decisions must be tracked in the risk register.

Related Documents