REQUEST HELP
How to Find Us

Contact ITS

Exley Science Center
ITS Service Desk / Help Desk - 1st Floor Lobby
265 Church Street
Middletown, CT 06459

Main: 860-685-4000

Hours: Monday - Friday
8:30am - 5:00pm

After hours high impact / high urgency IT support

Risk Assessment Policy 

 

Purpose 

 This Risk Assessment Policy outlines the risk assessment methodology to be used when assessing IT systems used by the university. 

 

Scope 

This policy applies to all university-provided Information Technology Resources (ITRs), as defined in the Appendix. 

 

Policy 

Link to ITRs classification 

Risk assessments should be performed prior to acquiring ITRs and then on an annual basis.  Risk assessments are required for ITRs classified as either Restricted or Sensitive, as defined in the Data Classification Policy [link to policy].  Risk assessments are recommended but not required for ITRs classified as Public. 

 

Assessment 

The Chief Information Security Officer will assess all ITRs annually to ensure appropriate protections are in place in the following areas: 

Area 

Restricted ITRs 

Sensitive ITRs 

Public ITRs 

ServiceNow entry 

Required 

Required 

Recommended 

ITRs Owner 

Required 

Required 

Required 

Separate accounts for each user 

Required 

Required 

Required 

Security awareness training for users 

Required 

Required 

Recommended 

Vulnerability scanning 

Monthly 

Monthly 

Monthly 

Patching cycle 

Critical patches within 3 days, all others within 30 days  

Critical patches within 7 days, all others within 60 days 

Critical patches within 14 days, all others within 180 days 

Network location 

Internal-facing 

No restriction 

No restriction 

Backup 

Required 

Required 

Optional 

Physical security 

Secure data center 

Secure data center 

No restriction 

Malware protection 

Required 

Required 

Required 

Local firewall 

Required 

Recommended 

Recommended 

 

Documentation 

The Chief Information Security Officer will maintain documentation of risk assessments. 

Exceptions 

All exceptions to this policy require written approval from the Chief Information Security Officer.  All exceptions require annual renewal. 

Appendix 

Definitions and Terms 

Information Technology Resources (ITRs) – This includes, but is not limited to, end-user computing devices, services, networks, email, software, printers, scanners, video distribution systems, telephone systems, fax systems, and other computer hardware and software, whether owned by the university or contracted by the university from a third party. 

Revision History 

August 2024 – Policy adopted