Explore UAB

Risk management is a process in which an organization constantly assesses the level of risk it faces and takes action to reduce that risk. You look at the threats and vulnerabilities that your organization faces. You then take steps to reduce the resulting risk by mitigating the vulnerabilities and planning for the threats. The goal is to successfully mitigate such risks before the associated threat(s) can manifest and harm the organization.

Protect Assets

Guide Decisions

Reduce Risk

How is risk managed?

The National Institute of Standards and Technology (NIST) lays out its recommended plan for identifying, controlling, and continuously monitoring risk tied to each information system in an organization. This framework is designed to create a repeatable process that accomplishes the following tasks using a variety of publications and guidance provided by NIST:

• Categorize System
  Categorize the sensitivity of the system’s data, followed by the enumeration of risks that might compromise the confidentiality, integrity, and availability of both the data and the information system.
  Associated NIST publications: FIPS 199 and SP 800-60.
• Select Controls
  Select a specific set of security controls based on the sensitivity of the data and implement these controls while architecting the information system during the software/system development life cycle (SDLC).
  Associated NIST publications: FIPS 200 and SP 800-53
• Implement Controls
  Implement and test the security controls as the information system is built.
  Associated NIST publications: SP 800-34, SP 800-61, and SP 800-128
• Assess Controls
  Assess the performance and effectiveness of both the information system and the security controls to provide assurance that they are working as intended.
  Associated NIST publication: SP 800-53A
• Authorize System
  Gain authorization and approval for the information system to begin processing, transmitting, and storing data to accomplish its mission.
  Associated NIST publication: SP 800-37
• Monitor Controls
  Continuously monitor the security controls to ensure they are effective during the life cycle of the information system.
  Associated NIST publications: SP 800-37, SP 800-53A, SP 800-137.

Risk Assessments

One of the best ways to identify your risk of threats and vulnerabilities is to conduct a risk assessment. Risk assessment is a process of identifying, estimating, and prioritizing risks to organizational operations and assets that are tied to the operation of an information system. At a minimum, we recommend that UAB organizations conduct risk assessments when:

• A new third-party vendor is being considered to provide a service or product that involves UAB data, UAB information systems, and/or UAB information technology resources, such as networking.
  Note: Vendors that already provide such services or products should be required to annually complete a risk assessment to determine whether the associated level of risk has increased or decreased during the previous year.
• A new information system or web application is being developed and deployed by a UAB organization.
  Note: Existing UAB-owned information systems and web applications should annually undergo a risk assessment to determine whether the associated level of risk has increased or decreased during the previous year.
• Compliance frameworks, such as PCI DSS, HIPAA, or FISMA require that a risk assessment is conducted.

We can assist in the risk assessment process by providing the tools, offering guidance in how to address questions in the tools, reviewing the final assessment, and aiding the organizations in reducing areas of significant risk to an acceptable level.

Learn More

Are you interested in learning more details about Risk Management? See various NIST special publications: