RMC mission & vision
RMC mission
The RMC mission is to protect the confidentiality, integrity, and availability of university data and systems by providing consistent and meaningful risk assessments, by providing guidance to lessen identified risks. Through these assessments and recommendations, we minimize the impact of cybersecurity incidents to the university community and promote awareness of cybersecurity best practices.
RMC vision
The RMC vision is to establish a culture of cybersecurity awareness and continuous improvement on campus. We strive to be a trusted campus partner in the protection of UW’s information assets, by utilizing a formalized risk assessment program. Through collaboration efforts with campus partners, RMC will provide effective risk assessments, regulatory compliance, security metrics and risk mitigation guidance. We aim to enable the campus community to operate in a secure and reliable digital environment that supports the University’s mission.
RMC service catalog
It’s never too late to ensure data security on campus. The Cybersecurity Risk Management & Compliance team can assist at any point in your use of a new service, application, or vendor.
RMC can take a high level look at services/tools/vendors prior to purchase, in the process of implementation or while this tool is in use.
The process begins by entering a new risk assessment request. These requests are reviewed and entered into a queue based on when they were received. Assessment timelines stated below begin once a risk analyst is available, not when the submission occurs. When the analyst starts your assessment, they will contact you to gather additional information.
Providing documentation in advance, such as a SOC2, CAIQ, or HECVAT, and attaching it to your risk assessment request can substantially decrease review time. The risk assessment process requires input from your team to reach completion. Lack of documentation or vendor responsiveness can lead to delays and a potential increase in overall assessed risk.
At any time, please feel free to contact RMC to review the status of your request.
RMC assessment types
This is an accordion element with a series of buttons that open and close related content panels.
Unsure which assessment type is needed? No problem! Fill out a OneTrust intake form!
Risk Assessment Process
To support the mission and vision of the University and the Risk Management and Compliance team, the process below details roles and responsibilities needed during the collaborative risk assessment process. Securing data for the University of Wisconsin–Madison is most successful when all stakeholders participate. Working jointly, we can maintain security compliance with standards, policies, laws, and regulations to protect sensitive information.
This is an accordion element with a series of buttons that open and close related content panels.
Addressing risks in OneTrust and documenting treatment actions taken to reduce risk will complete this process. Best security practice is to dedicate resources to continued risk management.
Service Owners, in collaboration with their IT support staff, should address all risks identified during this process, to further secure data where and to the extent resources permit. Should this system undergo any significant changes, please reach out to The Office of Cybersecurity for a risk assessment (See below). Results presented during the risk review process are not an approval/denial of the use of analyzed technologies. Results presented outline the continued risk of use of this technology in its current state. UW–Madison encourages a continual focus on securing data which requires the review and remediation of all risks as an ongoing activity.
Campus partner resources
Find additional resources to assist with the interpretation and evaluation of risk for services used on the UW–Madison campus.
Data classification
Classifying data allows Cybersecurity a clear vision of what kind of data is in a school, department, college or network.
Data Classification should also consider:
• Where data is stored |
• How data flows |
• Who has access to it |
• Scope of the data to protect |
• Who has access to it |
• Retention schedules of data |
Public
Data should be classified as Public prior to display on web-sites or once published without access restrictions; and when the unauthorized disclosure, alteration or destruction of that data would result in little or no risk to the University and its affiliates.
Sensitive
Data should be classified as Sensitive when the unauthorized disclosure, alteration, loss or destruction of that data could cause a moderate level of risk to the University, affiliates or research projects. Data should be classified as Sensitive if the loss of confidentiality, integrity or availability of the data could have a serious adverse effect on university operations, assets or individuals.
Internal
Data should be classified as Internal when the unauthorized disclosure, alteration, loss or destruction of that data could result in some risk to the University, affiliates, or research projects. By default, all Institutional Data that is not explicitly classified as Restricted, Sensitive or Public data should be treated as Internal data.
Restricted
Data should be classified as Restricted when the unauthorized disclosure, alteration, loss or destruction of that data could cause a significant level of risk to the University, affiliates or research projects. Data should be classified as Restricted if protection of the data is required by law or regulation or UW–Madison is required to self-report to the government and/or provide notice to the individual if the data is inappropriately accessed.
Additional information about data classification
Determining risk
When calculating risk, the Office of Cybersecurity will always rely on the ability to trust the risk math. This risk is a combination of qualitative and quantitative measurements and is a joint effort between risk analysts and the business unit. The formula for calculation of risk looks like this:
Risk | = | Likelihood | x | Impact |
Likelihood
Likelihood is a frequency-based measurement. UW–Madison bases frequency on a 3 year period.
Impact
Impact is the outcome that effects the political, financial, legal, operational or reputational areas of campus.
Risk Rating Scoring At A Glance
Risk Rating Scores are calculated by multiplying the Likelihood score (1-5) by the Impact score (1-5).
For example, the risk rating score for an exploit with a likelihood score of 1 (very unlikely) which has an impact score of 5 (highest impact) is calculated by the following multiplication: 1 x 5 = 5 giving a moderate risk rating score.
↑ Likelihood ↓ |
5 | 10 | 15 | 20 | 25 |
---|---|---|---|---|---|
4 | 8 | 12 | 16 | 20 | |
3 | 6 | 9 | 12 | 15 | |
2 | 4 | 6 | 8 | 10 | |
1 | 2 | 3 | 4 | 5 | |
← Impact Score (1-5) → |
Campus Risk Ratings
The matrix presented is consistent with the NIST Risk Management Framework (RMF) process and Federal Information Processing Standards (FIPS) guidance. Generalized presentation of FIPS specific matrix can be found in FIPS 199, February 2004, Table1.
- The Risk Levels presented here are the standard terms to be used at UW to facilitate improved communication across diverse groups.
- Risk ratings aid all parties in decision making throughout the RMF process.
- Typically, the table is not used in isolation: Impact and Likelihood must be defined and assessed. Discussion of these parameters follows.
- The impact to your group’s mission and the assessment of likelihood of realization of the impact from a threat-vulnerability combination should be tailored to your individual environment and needs.
- The likelihood and impact help in scoring risks of individual security gaps. The resulting risk scores assist in assessing an overall risk for analyses.
Risk ratings — calculating meaningful scores
A brief discussion follows, along with some examples. Please consult the UW–Madison Cybersecurity team if a more detailed discussion is needed regarding the development of a tailored impact score matrix, as well as the building of a Risk Register (not shown) from the resulting scoring.
Risk is attributed to assets based on the analysis of multiple factors which influence the Availability, Integrity or Confidentiality (AIC) of the asset.
- Confidentiality – preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.
- Integrity — guarding against improper information modification or destruction and ensuring information non-repudiation and authenticity.
- Availability – ensuring timely and reliable access to and use of information.
Factors include:
- Threats posed to that asset
- Vulnerabilities that expose the asset
- The impact to any of the UW–Madison mission, values or guiding principles
- The likelihood that the availability, integrity or confidentiality of the asset will be compromised through a given vulnerability by a threat actor
In a quasi-equation format:
[Risk(to AIC of an asset), (from a threat-vulnerability pairing)] = [the Likelihood of exploitation in a given time frame] × [the impact of such exploitation]
Or simply, Risk = Likelihood × Impact
Risk-scoring notes:
- The cataloging of risk calculations for assets is accomplished through OneTrust which acts as a Risk Register.
- Existing security controls need to be considered when evaluating the likelihood of an event.
- Similarly, existing controls are considered if they limit the felt impact to your mission.
- When a single score is requiring a complex system, the final highest risk level found for all components of the asset is used.
- Risks of a threat-vulnerability pairing can be evaluated individually for Availability, Integrity and Confidentiality (AIC) of the asset. Similarly, a single risk scoring can consider two of these or all three parameters.
Risk level is influenced by the type of data in question and the volume of data in question. Type and volume are considerations influencing the Impact score.