• Account & Access Management
• Application Services
• Data Center Hosting
• Desktop Management
• Enterprise Connectivity
• Information Security
• Messaging & Collaboration
• Professional Services
• Technology Sales
• Training, Education & Awareness
• Voice Services

OU Norman IT
OU Tulsa IT

Home  |  Online Help  |  Policies  |  Forms  |  Tier Ones

 :: HOME / Policies / for data owners

Risk Assessment and Control Review:

Supporting documents: Full policy - Standard - Process - Form

Once information system data and resources have been identified and appropriately classified, information system resources must undergo a control review and risk assessment. The level of this assessment will be determined by the classification of the information system resource and its data. See the Control Assessment Standard to help determine the minimum requirements for performing Control Assessments and Re-Assessments.

This assessment will identify what controls for the resource are in place and what controls must be added to align with the risk tolerances and appetite for the information system resource and its data.

This process must be repeated any time changes occur in the classification, controls, environment, or operation which could impact the confidentiality, integrity or availability of the information system resource.  An example of this is a significant update or major version revision to the application or operating system, and/or the supporting architecture.

Reassessment: All information system resources must undergo a formal re-assessment process to ensure data and resource classifications are still valid and verify appropriate responses and controls are still in place.