| Title: | Risk Management, Information Technology |
|---|---|
| Policy Owner: | Information Technology Services / Chief Information Security Officer |
| Applies to: | System Owners and IT Professionals |
| Campus Applicability: | All UConn Campuses, except UConn Health |
| Approval Date: | February 20, 2026 |
| Effective Date: | March 9, 2026 |
| For More Information, Contact: | UConn Information Security Office |
| Contact Information: | techsupport@uconn.edu or security@uconn.edu |
| Official Website: | https://security.uconn.edu |
PURPOSE
As technology and its capabilities change our environment, threats against these technologies also evolve. To provide the highest level of protection for the University, department and system owners are responsible for regular assessments of risks to their technology platforms. The Information Security Office is responsible for overseeing the evaluation of IT risks across the organization.
APPLIES TO
This policy applies to all System Owners, from University departments and schools/colleges, and IT Professionals.
DEFINITIONS
Risk Assessment: Part of the ongoing risk management process that assigns relative priorities for mitigation plans and implementation.
Risk Assessment Tool: Risk assessment tools are available to department and school/college system owners and IT professionals to collect information about systems, services, and data that will inform efforts to continuously strengthen UConn’s information security.
System Owner: The individual – such as a faculty member, department head, manager, or other employee – who is responsible for the planning and operation of the service. All systems have a designated system owner.
IT Professional: An individual (staff) who is trained and skilled in using technology to solve business problems coupled with assigned job duties in support of technology at the university. This must be a defined responsibility within the position job description and may not fall under “other duties as assigned.” Appropriate training, support, and budget must also be available in support of the IT Professional role.
POLICY STATEMENT
The Information Security Office (ISO) is authorized to administer the University’s risk management process, which includes the delegation of responsibility for ensuring that information systems are assessed for risk.
Due to the size and complexity of the UConn environment, each department and system owner is responsible for conducting a regular and ongoing risk assessment of the Information Technologies they are responsible for overseeing.
In conducting a risk assessment, departments/individuals should evaluate risks to Information Technology based on a People, Process, Technology (PPT) methodology. Using this methodology and leveraging ISO policies, including the Acceptable Use Policy, Data Classification Policy, Data Roles and Responsibilities Policy, Security Awareness Training Policy and System and Application Security Policy (available at https://security.uconn.edu), departments must evaluate opportunities to reduce risk to the confidentiality, integrity, and availability of information technology assets.
Some University organizations will be required to do regular risk assessments as a regulatory or industry requirement. This policy does not reduce or relieve the responsibility of System Owners to complete regulatory and industry‑required assessments.
ENFORCEMENT
Violations of this policy and any related procedures may result in appropriate disciplinary measures in accordance with University By-Laws, General Rules of Conduct for All University Employees, applicable collective bargaining agreements, and the University of Connecticut Student Code.
PROCEDURES/FORMS
Questions about this policy or suspected violations may be reported to any of the following:
Office of University Compliance – https://compliance.uconn.edu (860-486-2530)
Information Technology Services Tech Support – https://techsupport.uconn.edu (860-486-4357)
Information Security Office – https://security.uconn.edu
POLICY HISTORY
Policy created: May 12, 2016
Revisions:
August 30, 2021 (Approved by the President’s Senior Team)
February 20, 2026 (Approved by the Senior Policy Council)