Risk Assessment Policy

    
1.0 Purpose
To empower the IT Department to perform periodic information security risk assessments (RAs) for the purpose of determining areas of vulnerability, and to initiate appropriate remediation.
     
2.0 Scope
Risk assessments can be conducted on any entity within the American University of Sharjah (AUS) or any outside entity that has signed a Third Party Agreement with AUS. RAs can be conducted on any information system, to include applications, servers, and networks, and any process or procedure by which these systems are administered and/or maintained.
       
3.0 Policy
The execution, development and implementation of remediation programs is the joint responsibility of the IT Department and the department responsible for the systems area being assessed. Employees are expected to cooperate fully with any RA being conducted on systems for which they are held accountable. Employees are further expected to work with the the IT Department Risk Assessment Team in the development of a remediation plan.

4.0 Risk Assessment Process
For additional information, go to the Risk Assessment Process.
       
5.0 Enforcement
Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
       
6.0 Definitions
Terms                    Definitions
Entity                     Any business unit, department, group, or third party, internal or external to AUS, responsible for maintaining AUS assets.

Risk                        Those factors that could affect confidentiality, availability, and integrity of AUS's key information assets and systems. the IT Department is responsible for ensuring the integrity, confidentiality, and availability of critical information and computing assets, while minimizing the impact of security procedures and policies upon business productivity.

7.0 Revision History