Function: Identify (ID)
Category: Risk Management Strategy (RM)
“The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions.”
This category reinforces information security as a business function. That is, key stakeholders are involved in setting the priorities and risk tolerance to the organization and this drives the security operational decisions.
ID.RM-1: Risk management processes are established, managed, and agreed to by organizational stakeholders.
A documented approach to risk management is not a technical issue but one that requires organizational decisions related to risk tolerance, acceptable risk assessment methodologies, and a process for consistently evaluating cybersecurity risk across the organization. This risk management strategy can be informed by information from other sources, including NSHE, other institutions, and organizations to ensure the strategy is broad and comprehensive.
Auditors may want documentation that shows the framework or process the organization uses for risk management and that it is updated on a regular basis. The strategy document should show the appropriate owner of the process and the stakeholders throughout the institution who are involved or are informed of the process.
ID.RM-2: Organizational risk tolerance is determined and clearly expressed.
This is a statement to identify the organization’s appetite for risk. Does the organization understand the risk to PII or other regulated data and the level of acceptable risk the organization is willing to take. This is a business decision, not a technical one.
Auditors are looking for a statement that demonstrates the risk tolerance of the organization. This may be in policy or part of another document as long as it is written and is approved by those ultimately responsible for risk.
ID.RM-3: The organization’s determination of risk tolerance is informed by its role in critical infrastructure and sector specific risk analysis.
The organization should demonstrate that it recognizes the specific threats to information in a higher education environment and the criticality of the data that is stored, processed, or transmitted. This should be documented through a mission statement or other written document that is reviewed and accepted by those responsible for managing risk at the organization.
Auditors may want a copy of any risk management strategy that pertains to cybersecurity and verify it aligns with the role played in higher education.