Skip to McMaster Navigation Skip to Site Navigation Skip to main content
McMaster logo

Office of the AVP & CTO

INFORMATION TECHNOLOGY SECURITY

Risk Management

Risk Management, in the context of Information and Technology, is a discipline concerned with the identification, assessment and prioritization of risk so that appropriate mitigating strategies can be determined and specific controls discerned and applied to reduce the probability and impact of a risk to an accepted level based on the organization’s acceptable comfort level.

The primary categories of risk at McMaster University are Information and Technology related. Information risk relates to the principles of confidentiality and integrity of information and the systems that support them. Technology risk relates to the principle of availability of technology and its ability to provide information and services when required. Technology risk is directly linked to Disaster Recovery Planning and Business Continuity Planning activities.

To ensure that Information security risk is mitigated, McMaster University must provide appropriate security controls to protect information in a manner that limits unauthorized or accidental disclosure, access, modification or destruction thus exposing the University to an increased potential damage and inability to achieve its strategies and objectives. Similarly, to ensure that Technology risk is mitigated, McMaster University must ensure that it updates and maintains systems and networks and it is leveraging advancements in technology thus impacting the ability to achieve the University’s strategic priorities and objectives.

Risk Management Framework

Risk management is better understood via the Enterprise Risk Management framework, which describes the process as follows:

1.Determine the context of the risk management activity

2.Assess the risk through the identification of threats, the analysis of the likelihood and impact, and the evaluation of existing controls and determination of mitigating strategies

3.Approve and implement adequate controls to treat or mitigate the risks identified

4.Monitor the implemented controls to ascertain if risk is reduced to an expected level

5.Communicate the effectiveness of the mitigating strategies in reducing risk to the appropriate oversight individuals or committee

Principles of Information Technology Security

Information security is governed by 3 basic principles known as confidentiality, integrity and availability and together they are called the CIA Triad. These principles must be applied at every step of the security process and must be continuously measured to ensure risk mitigation is at acceptable levels.

CONFIDENTIALITY – Information is disclosed to only those who have the right to know

INTEGRITY – Information is protected against unauthorized or accidental modification

AVAILABILITY – Information is available and usable when required by authorized individuals