The university’s Chief Information Security Officer (CISO) has the primary responsibility for the implementation of this Control.

The Chief Information Security Officer (CISO) shall develop a comprehensive strategy to:

• 1.1

  Manage security risks to university operations and assets, individuals, and other organizations related to the operation and use of information resources.

• 1.2

  Manage privacy risks to individuals resulting from the authorized processing of personally identifiable information.

Implement a risk management strategy consistently across the university.

Review and update a risk management strategy annually or as required to address organizational changes.