Skip to content

Assess. Implement. Verify.

Using this three-step process, all departments can make measurable improvements to their information security–with a corresponding measurable reduction of their information risks.

Reach out to for assistance in using the data classifications, security standards, and in conducting the annual assessment.

Assess information risks. 

Begin by identifying and prioritizing risks to your data. Identify all the data you work with according to the four data classification levels: High Risk, Sensitive, Internal, and Public. More detail on these levels can be read on the Data Classification page.

Second, consider the risks imposed by your data exposure. Are you at risk for internet hacking, stolen laptops, or do regulations cover your data? Use this risk level assessment to assess your information risk,

Implement the Information Security Program. 

The goal of this step is to reduce or eliminate the risks identified in step one. The focus is on business risk and not on the latest available technology. The Illinois Security Standards map to risk levels for the purpose of implementing the university security program in your unit. 

Verify compliance with both the Information Security Program and applicable laws and regulations. 

This step assures the business owners that information risks are being managed. The University conducts assessments to evaluate current compliance and to discover where additional resources are needed. 

Information Risk Acceptance vs. Assignment

Risk Assignment is based on the concept that all university units already own all of the risk contained in all of their business processes. This differs from “risk acceptance” in that the risk has already been assigned to the unit, regardless of whether anyone in the unit has officially signed off on and agreed to accept the risk of those processes. 

Assigned risk is owned risk

In practice the university primarily bills costs of a negative security event or incident event to the unit itself.

The unit can expect to receive a bill from the university that begins in the thousands of dollars for a relatively small security compromise with no data breach involved and goes up from there. It is vitally important that units understand they already own all that risk.

Acceptable Risk

Some risk is considered by the university to be “Acceptable Risk”. Business processes that are compliant with all university standards and legal/regulatory requirements are considered by the university to be acceptable risk and no risk action is necessary.

If unit processes are non-compliant, the university Enterprise Risk Management (ERM) office standards dictate the type of response that must be taken to protect the university from that risk. 

(See the chart at

Very High Risk (High Risk Data, or Sensitive data in a highly critical business process)

  • Requires essential and immediate allocation and organization of resources to manage/mitigate the risk;  establish plans and countermeasures

High Risk (Sensitive data, or Public/Internal data in a highly critical business process) 

  • Requires priority allocation of resources for management and/or mitigation; establish plans and countermeasures

GRC works with customers and university decision-makers to mitigate that risk into one of the predefined acceptable risk categories (Moderate, Low, Very Low).

What if a specific business process cannot be made compliant?  

University policy makes allowance for this eventuality through an exception process.  

If the risky item violates university security standards, that risk can be accepted by the unit executive (Dean, Vice Chancellor, or the University CIO) whose budget would be impact by the costs of a security compromise.  

If the risk violates compliance standards the same official will sign off, as will (after consulting University Counsel) the Chief Information Security Officer, and the university official responsible for compliance with that law/requirement.

Enlisting Help with Information Risk

If you are unsure who can officially accept certain risks, what the applicable processes look like, who the data stewards for certain data types are, or who the risk holder might be for an existing gap, Risk and Compliance can help. 

We provide university administration, faculty, and staff with an understanding of their position to enable more informed decisions. Ultimately, final decisions as to risk and risk accepatance are up to authorized university leadership.

Reach out to for help with any of these assessments or reports.

Risk assessment / compliance review & reporting

Written review, gap report, recommendations

  • 1-business week pick-up for requests
  • 90-day turnaround
Third Party Risk Management

Written review and consultations

  • 1-business week pick-up for requests
  • 90-day turnaround
Risk and compliance consulting

Consultation, Subject Matter Expert input

  • 1-business week response to requests
  • 3-week lead time
  • TBD turnaround (per needs)
Risk acceptance/acknowledgement process facilitation

Registered risk acceptance with the Chief Privacy and Security Officer, 1 year duration

  • 1-business week pick-up for requests
  • 1-business week turnaround, assuming immediate response from risk owners