Managing Security Risks

Members of the campus community are relying on the university’s critical systems to be secure—preventing bad actors from sabotaging services or stealing information. The core of information security is risk management.  

The Information Security Risk Management Program (RMaP) provides Information Resource Owners a way to identify and minimize potential risks to university systems and information before a successful threat is realized. For 2026, the RMaP cycle is in its 7^th year. The program runs every spring, with completion due by June 30.  

RMaP has evolved significantly since its inception because of the adoption of the UASecure platform, which offers in-application guidance to help RMaP teams assess the highest risks to their systems and data and create an iterative plan for reducing risk annually.  While teams enter information on the use and criticality of their systems and select security controls that are currently in place, UASecure provides an analysis based on the NIST 800-53 framework to assist in selecting appropriate risks to mitigate. This analysis allows teams to make informed decisions that reduce risk to the university.   

Teresa Banks, the information security analyst who manages RMaP, explains, “The ISO Governance, Risk, and Compliance Team (ISO-GRC) has learned so much about assisting RMaP teams in completing their security plans annually. Working with our team saves time and provides helpful information on resources and tools available to mitigate risk effectively in a way that isn’t overwhelming. We are able to provide customized solutions for teams so that they don’t have to hunt for solutions. For example, if a team needs a business continuity plan, we provide the link to our template. If they need assistance with completing the business continuity plan, we can help with that too.”  

By the end of the consultation, which takes 60 minutes or less, the team has a security plan to execute over the next year. In future years, the team completes reassessments that record resolved risks and that identify lower risks that can then be tackled.  

Previously, Teresa gamified the annual RMaP cycle with a new theme each year and developed ways to recognize RMaP teams for completing security plans “early and often” (especially those teams who completed large numbers of security plans – up to 27 per year). Teams who have repeated the process annually have gained increasing confidence and familiarity with the program. They have also significantly reduced risk year after year to the point where most are breezing through quick reviews.  

System owners who have been through RMaP begin thinking more about security in a day-to-day way. For example, more teams are asking Wendy Epley to review software contracts before they sign on the dotted line. Wendy is nationally recognized in CMMC (Cybersecurity Maturity Model Certification), a program for ensuring conformance with security requirements for federal contracts.  

In addition to Wendy’s expertise with contracts, Steve Hicks is an expert on risk mitigation and zero-trust architecture (see story on the Vulnerability Management Program). Dayon Harris provides guidance and resources for documentation (see story on Information Security Assessments of Compliance Program). 

While UASecure is self-service, Teresa does recommend consultations. “Before each consultation, I ensure that I know something about what we are assessing so that we can provide concentrated assistance during the meeting. We always want to ensure that the time spent is valuable.”  

The whole team is eager to help Information Resource Owners and their teams. Teresa explains, “We're a service unit. We want to know, what is the thing that keeps you up at night? Let's see what we can do to make sure you get to sleep.” 

This article is the third in a series of three stories highlighting Information Security Office programs dedicated to helping system owners keep campus IT resources secure.