Digital shield in cyberspace with a person selecting it with their finger.

Risk Management and Compliance (RMC)

RMC service catalog

It’s never too late to ensure data security on campus. The Cybersecurity Risk Management & Compliance team can assist at any point in your use of a new service, application, or vendor.

RMC can take a high level look at services/tools/vendors prior to purchase, in the process of implementation or while this tool is in use.

The process begins by entering a new risk assessment request. These requests are reviewed and entered into a queue based on when they were received. Once a risk analyst is available, we will contact you to gather additional information. The risk assessment process does require input from your team to reach completion. At any time, please feel free to contact RMC to review the status of your request.

RMC assessment types

This is an accordion element with a series of buttons that open and close related content panels.

Cybersecurity Consultative Review (CCR)

A Cybersecurity Consultative Review (CCR) is a review  of all possible security control information and associated risks  gathered by campus partners and the Office of Cybersecurity.  The goal of the CCR is to communicate vulnerabilities, levels of risk, and recommendations before or after implementation.  A summary of the information gathered is presented in a risk letter to the assessment requestor and their Risk Executive, as needed.

How to request

Complete the OneTrust intake form.
If you have questions, please contact rmc-cybersecurity@cio.wisc.edu.

Risk Executive signature required

Any Risk is e-mailed to the Risk Executive. No Risk Executive sign-off is needed unless the overall risk is higher than Moderate.

Estimated time

Time varies based on request. Collaborative timeline: 15 to 30 business days. High demand for risk assessment work may delay the start of your project.  These estimates apply once your risk assessment has been assigned to a risk analyst.

Next steps

Requestor to acknowledge risks and work toward documentation of risk resolution.

Full risk assessment

HIPAA or non-HIPAA analysis that assesses a defined-scope technology, infrastructure, process, or department against our expectations for security posture. Include HIPAA criteria for ePHI as applicable. May require a BAA with vendor based on results of vendor data.

How to request

Complete the OneTrust intake form.
If you have questions, please contact rmc-cybersecurity@cio.wisc.edu.

Risk Executive signature required

Yes

Estimated time

2-4 Months, 8-10 Sessions.

Time varies based on request. Collaborative timeline: 15 to 30 business days. High demand for risk assessment work may delay the start of your project.  These estimates apply once your risk assessment has been assigned to a risk analyst.

Next steps

Requestor to acknowledge risks and work toward documentation of risk resolution.

Joint Security & Privacy Review (JSPR) (HIPAA)

A Joint Security and Privacy Review (JSPR) is for groups, research projects, and Principal Investigators (PI) that process Protected Health Information (PHI) and don’t need a full HIPAA Risk Analysis. The goal of the JSPR is to provide reviews of research projects, evaluations of research proposals, and evaluations of software that will process, transmit, disclose, or store PHI. A summary of the information gathered is presented in a risk letter to the assessment requestor and their Risk Executive, as needed. Use cases include IRB research, educational activities, projects involving another entity receiving UW PHI, or projects receiving PHI from another entity for a reason other than treatment.

How to request

Complete the OneTrust intake form.
If you have questions, please contact rmc-cybersecurity@cio.wisc.edu.

Risk Executive signature required

Low Risk – email, no approval needed. Signed by Researcher.

Moderate to Critical – Schedule a formal Risk Executive Meeting. Signature required by the Risk Executive.

Estimated time

3-6 weeks

Generally happens before any other stage of assessment, but could also happen at any stage. Time varies based on request. Collaborative timeline: 15 to 30 business days. High demand for risk assessment work may delay the start of your project.  These estimates apply once your risk assessment has been assigned to a risk analyst.

Next steps

Requestor to acknowledge risks and work toward documentation of risk resolution.

Public cloud risk assessment

Assess the risk of projects and services to be used within the UW-Madison Public Cloud environment. Requests can be submitted after a UW-Madison Public Cloud Team consultation and project goals and architecture designs are drafted. The review will take the infrastructure scope, data classification and usage into consideration.

How to request

Complete the OneTrust intake form.
If you have questions, please contact rmc-cybersecurity@cio.wisc.edu.

Risk Executive signature required

For assessments that are High risk or above, a signature will be required.

Estimated time

1-2 months depending on the complexity of the cloud environment.

Time varies based on request. Collaborative timeline: 15 to 30 business days. High demand for risk assessment work may delay the start of your project.  These estimates apply once your risk assessment has been assigned to a risk analyst.

Next steps

Requestor to acknowledge risks and work toward documentation of risk resolution.

Additional public cloud resources

Secure Box / secure storage

Available to UW–Madison staff for the storage and collaboration with restricted data (including ePHI) with a maximum available space of 50GB.

How to request

Complete the OneTrust intake form.
If you have questions, please contact rmc-cybersecurity@cio.wisc.edu.

Risk Executive signature required

No, but communication back to distributed IT will accompany an email to the researcher.  Distributed IT Teams should ensure the endpoint meets the Endpoint Checklist Requirements (PDF) to be compliant with the Endpoint Management Policy (UW-526).

Estimated time

1-3 days.

Time varies based on request. Collaborative timeline: 15 to 30 business days. High demand for risk assessment work may delay the start of your project.  These estimates apply once your risk assessment has been assigned to a risk analyst.

Next steps

None unless scope of work changes.

Note

Alternative secure storage options may exist and suit your needs more specifically. Please review the UW–Madison Data Services page.

Campus partner resources

Find additional resources to assist with the interpretation and evaluation of risk for services used on the UW–Madison campus.

Visit campus partner resources

Data classification

Classifying data allows Cybersecurity a clear vision of what kind of data is in a school, department, college or network.

Data Classification should also consider:

• Where data is stored

• How data flows

• Who has access to it

• Scope of the data to protect

• Who has access to it

• Retention schedules of data

Line art image of a globe and three people

Public

Data should be classified as Public prior to display on web-sites or once published without access restrictions; and when the unauthorized disclosure, alteration or destruction of that data would result in little or no risk to the University and its affiliates.

Line art image of four people in a circle

Internal

Data should be classified as Internal when the unauthorized disclosure, alteration, loss or destruction of that data could result in some risk to the University, affiliates, or research projects. By default, all Institutional Data that is not explicitly classified as Restricted, Sensitive or Public data should be treated as Internal data.

Line art image of a shield with a fingerprint

Sensitive

Data should be classified as Sensitive when the unauthorized disclosure, alteration, loss or destruction of that data could cause a moderate level of risk to the University, affiliates or research projects. Data should be classified as Sensitive if the loss of confidentiality, integrity or availability of the data could have a serious adverse effect on university operations, assets or individuals.

Line art image of a lock with four asterisks

Restricted

Data should be classified as Restricted when the unauthorized disclosure, alteration, loss or destruction of that data could cause a significant level of risk to the University, affiliates or research projects. Data should be classified as Restricted if protection of the data is required by law or regulation or UW-Madison is required to self-report to the government and/or provide notice to the individual if the data is inappropriately accessed.

Determining risk

When calculating risk, the Office of Cybersecurity will always rely on the ability to trust the risk math. This risk is a combination of qualitative and quantitative measurements and is a joint effort between risk analysts and the business unit. The formula for calculation of risk looks like this:

Risk = Likelihood x Impact

Likelihood

Likelihood is a frequency-based measurement. UW–Madison bases frequency on a 3 year period.

Impact

Impact is the outcome that effects the political, financial, legal, operational or reputational areas of campus.

Campus Risk Ratings

wdt_ID Rating (Likeihood x Impact) Rating definition & prescribed action
1 Critical Risk
(20-25)

Likelihood: Evidence of exploitation of a vulnerability by a threat actor against the asset has been discovered or enough evidence is seen to suspect exploitation has occurred in the past.


Mission Impact: Political, financial, legal, operational or reputational impacts will be felt for two or more years. Damages impact at least an entire UW-Madison Division, or multiple departments across divisions.


Action: Immediate action is required to reduce the risk. Systems designated with CRITICAL risk exposure may be required to be disconnected until resolutions or mitigations are found. CRITICAL risks found during a security risk assessment must be communicated upon discovery.

2 High Risk
(10-16)

Likelihood: Exploitation of a vulnerability by a threat actor against the asset is highly likely, although evidence to suggest  exploitation has occurred has not been found.


Mission Impact: Political, financial, legal, operational or reputational impacts will be felt for 6 months, up to two years OR damages impact at least an entire UW-Madison Division, or multiple departments across divisions.


Action: Prompt action is required to reduce the risk. All HIGH risks must be reduced before the close of the next semester of instruction.

3 Moderate Risk
(5-9)

Likelihood: Exploitation of a vulnerability by a threat actor against the asset is likely in general; some controls are in place to reduce the likelihood of occurrence against the specific asset.


Mission Impact: Political, financial, legal, operational or reputational impacts may be felt for a month or more, but less than a year AND damages would impact three of fewer departments contained in a single UW-Madison division.


Action: Prioritization of remediation efforts is required for all MEDIUM risks. Prioritization must be completed in less than three months. Execution of remediation efforts for MEDIUM risks is based on prioritization relative to other MEDIUM rated risks for the same system or environment.

4 Low Risk
(2-4)

Likelihood: Exploitation of a vulnerability by a threat actor is difficult in general requiring expertise beyond one person with advanced computer skills or resources beyond those generally possessed by an individual. If exploitation is within reach of individuals, then our systems have controls to make it unlikely to experience an incident, in a defined time frame.


Mission Impact: Political, financial, legal, operational or reputational impacts will be minimal. Operational impacts include: short term reallocation of current IT professionals and resources with localized or minor interruption of project work and non-mission critical services; the data custodian will be inconvenienced for some hours, but definitely less than one week.


Action: Required action is limited to making the data custodians and their leadership aware of the risk. The risk must be tracked and reviewed at the next risk assessment, or sooner if changes to the likelihood or impact become apparent.

5 Inconsequential Risk
(1)

Likelihood: Exploitation of this risk is not expected over the course of a defined time frame. The difficulty or expense of exploitation of the documented vulnerability is beyond most known organized crime groups.


Mission Impact: No noticeable impact to any part of UW–Madison is predicted if the exploitation occurs.


Action: Documentation in the risk register is required. Included the findings of NO RISK for the asset, from the specified threat-vulnerabilty.

The matrix presented is consistent with the NIST Risk Management Framework (RMF) process and Federal Information Processing Standards (FIPS) guidance. Generalized presentation of FIPS specific matrix can be found in FIPS 199, February 2004, Table1.

  • The Risk Levels presented here are the standard terms to be used at UW to facilitate improved communication across diverse groups.
  • Risk ratings aid all parties in decision making throughout the RMF process.
  • Typically, the table is not used in isolation: Impact and Likelihood must be defined and assessed. Discussion of these parameters follows.
  • The impact to your group’s mission and the assessment of likelihood of realization of the impact from a threat-vulnerability combination should be tailored to your individual environment and needs.
  • The likelihood and impact help in scoring risks of individual security gaps. The resulting risk scores assist in assessing an overall risk for analyses.

Risk ratings — calculating meaningful scores

A brief discussion follows, along with some examples. Please consult the UW–Madison Cybersecurity team if a more detailed discussion is needed regarding the development of a tailored impact score matrix, as well as the building of a Risk Register (not shown) from the resulting scoring.

Risk is attributed to assets based on the analysis of multiple factors which influence the Availability, Integrity or Confidentiality (AIC) of the asset.

Triangle with sides labeled as Availability, Integrity & Confidentiality

  • Confidentiality – preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.
  • Integrity — guarding against improper information modification or destruction and ensuring information non-repudiation and authenticity.
  • Availability – ensuring timely and reliable access to and use of information.

Factors include:

  • Threats posed to that asset
  • Vulnerabilities that expose the asset
  • The impact to any of the UW-Madison mission, values or guiding principles
  • The likelihood that the availability, integrity or confidentiality of the asset will be compromised through a given vulnerability by a threat actor

In a quasi-equation format:

[Risk(to AIC of an asset), (from a threat-vulnerability pairing)] = [the Likelihood of exploitation in a given time frame] × [the impact of such exploitation]

Or simply, Risk = Likelihood × Impact

Risk-scoring notes:

  • The cataloging of risk calculations for assets is accomplished through OneTrust which acts as a Risk Register.
  • Existing security controls need to be considered when evaluating the likelihood of an event.
  • Similarly, existing controls are considered if they limit the felt impact to your mission.
  • When a single score is requiring a complex system, the final highest risk level found for all components of the asset is used.
  • Risks of a threat-vulnerability pairing can be evaluated individually for Availability, Integrity and Confidentiality (AIC) of the asset. Similarly, a single risk scoring can consider two of these or all three parameters.

Risk level is influenced by the type of data in question and the volume of data in question. Type and volume are considerations influencing the Impact score.