Skip to main content
University of Nebraska Logo

Frequently Asked Questions

What is IT risk and data classification?
The University of Nebraska is committed to protecting the confidentiality, integrity, and availability of information important to the University's mission. Executive Memorandum No. 42 – Policy on Risk Classification and Minimum-Security Standards establishes risk classifications for University of Nebraska data and information systems. University data and information systems are required to be classified into one of the following categories: Low Risk, Medium Risk, or High Risk. Each risk classification is paired with corresponding Minimum-Security Standards that align to National Institute of Standards and Technology (NIST) frameworks. Some data may also be classified by agreement or regulation requiring additional compliance requirements.

What is risk?

Risk is a measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of:

  • The adverse impacts that would arise if the circumstance or event occurs;
  • The likelihood of occurrence.

Why is it important to determine IT risk?
Determining information security risk enables the university to implement the appropriate security controls to balance usability and defensibility of information systems and data. When risk is accounted for, the University can minimize inherent risks by appropriately managing confidentiality, integrity, and availability of information systems to match the University's’ risk appetite.

What is an IT risk assessment?

A risk assessment is the process of identifying, estimating, and prioritizing risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of an information system.

Risk Assessments are made up of several components:

  • Threat Event Assessment
  • Likelihood of Occurrence
  • Impact of Occurrence
  • Overall Risk Assessment Summarization
Threat events are analyzed for the likelihood of occurrence and the impact while considering existing mitigations and controls. The risk assessment supplies the information needed to manage risk properly and effectively by supplying a summarization of the risk, recommendations for new mitigations to reduce the risk, and risk score for the information system or data.

What is IT risk management?
Risk management is the process for prioritizing and addressing the risks identified during the assessment process over time. Risk management balances recommended mitigations with financial constraints, usability, and organizational priorities according to the University’s risk appetite. For questions or consultation, please reach out to its-sec-compliance@nebraska.edu.

IT Risk Classification

Contact NU ITS Security

Need assistance or have questions related to IT Security? Email the NU ITS Security team at security@nebraska.edu for support.

 

Risk Classification Self-Assessment
IT Policy Exception Request
IT Policies & Standards