Several IT services will be unavailable early on Sunday, Dec. 7.

Learn more
Skip to main content

Information Security

Information Security Risk Assessment Process

Information Security Risk Assessment Process

This process ensures that all risk decisions remain focused on what matters most to the university’s mission and compliance responsibilities.


Data classification and asset valuation

The data classification and asset valuation phase evaluates projects against the university’s information classification levels and assigns an asset value based on data sensitivity and regulatory requirements. This foundation ensures that all risk decisions remain focused on what matters most to the university’s mission and compliance responsibilities.


Risk assessment

A risk assessment phase evaluates third-party or internal services, applications, and systems. This phase uses intake questionnaires, public policy reviews, and security documentation to gather vendor, system, or project details. Data sensitivity, technical safeguards, and hosting environments are factored to produce a clear risk rating (High, Medium-High, Medium-Low, or Low) and practical mitigation strategies.


Reporting

A comprehensive report summarizes the risk assessment, outlines identified risks, recommends mitigation strategies for each risk, and documents the remaining risks in our university-wide risk register. Annual recertifications are recommended to reassess the security posture of both internal and external services and partnerships and reinforce the protection of Rutgers data in an ever-evolving threat landscape.

Request services

Whether you’re launching a new application, onboarding a vendor, or need a quick security consult, the Information Security Risk Management team is ready to help.

Contact us

Mitigation strategies

Business application owners, along with data and system owners, are ultimately responsible for making informed decisions regarding projects and vendor engagements. To support this responsibility, the following risk mitigation strategies are provided to guide the evaluation and management of potential risks:


Risk Acceptance
Acknowledge and formally accept the identified risks when the impact is minimal or within the organization’s risk tolerance.


Risk Transfer
Shift responsibility for specific risks to third parties through mechanisms such as insurance coverage or contractual obligations.


Risk Avoidance
Decide not to proceed with an engagement or activity to minimize exposure to high or unacceptable risks.


Risk Reduction
Implement additional technical, administrative, or physical controls to decrease the likelihood or impact of identified risks.

By leveraging these strategies, business, data, and system owners can align risk-based decisions with operational goals, ensuring the security and resilience of Rutgers’ systems and data assets.