Information Security at RIT

Risk Management Framework
Structure and Resources

Risk Management Framework

RIT has applied a risk management approach to information security. In order to manage information security risks, RIT attempts to:

Assess risks to identify and prioritize the greatest information security risks
Prevent information losses through policies/standards/guidelines, technical controls and education/training/awareness.
In the event of a loss, RIT seeks to minimize that loss through incident response, business continuity, and disaster recovery. When it is unclear whether a loss has occurred, RIT will conduct a forensics investigation.
In the event of a loss, RIT seeks to protect the RIT community from harm through risk management and insurance practices.
RIT regularly evaluates information security through information security reviews and audits.

Step 1: Risk Assessment

Information security risk is created by the confluence of three major drivers: assets, vulnerabilities, and threats. In order to understand information security risk, it is necessary to understand the current and future state of each of these elements. In order to minimize risk, it is necessary to manage assets, vulnerabilities, and threats through formalized programs.

Step 2: Loss Prevention

loss prevention (step 2)

Step 3: Loss Control

Loss Control is accomplished through initiatives in the following areas:

Technical Controls
Solutions Life Cycle Management, a formal process for reviewing new assets, potential risk, and appropriate controls
Security Education, Training, and Awareness (SETA) Program
Forensics Investigations and the Incident Handling Standard