Information Technology Risk Management

Evaluating IT environments for controls and processes to assess compliance with security best practices and Columbia University policies and standards.

Responsibilities

ITRM Framework Assessment

Evaluating security controls and processes of IT environments and IT assets to assess alignment with Columbia University’s ITRM (Information Technology Risk Management) framework.

Central Applications' and Systems' Security Assessments

Review of central (CUIT managed) system/application controls to assess compliance with security best practices and Columbia University policies and standards.

Decentralized Applications and Systems Assessments

Review of decentralized (Columbia's School and departmental) systems and applications containing sensitive data to assess compliance with security best practices and Columbia University policies and standards.

IT Security Evaluation for Projects and SDLC

Providing security control recommendations during project lifecycle and Systems Development Life Cycle (SDLC).

External IT Services Vendor Security Assessments

Evaluation of external vendor's overall security posture to assess alignment with Columbia University policies.

Risk Registry and Remediation

Tracking remediation plans and efforts for resolution/mitigation of identified control gaps from assessment results.

IT Policy Work

Maintains current and creates new IT Policies as needed, publishes updates to the University Policies Catalog, and revises online security training platform accordingly

The University’s “Information Security Risk Management Policy”  establishes the Information Security Risk Management Program to perform risk analyses of information resources that store or process University data. The Information Security Risk Management Program is charged with ensuring that the University is operating at an acceptable level of risk with regards to the confidentiality, integrity, and availability of its information resources.

An important part of the Risk Management program is the risk assessment process. This includes registering the following systems in compliance with Columbia University's Registration and Protection of Systems Policy:

All Systems, including CUIMC Systems, that process, transmit and/or store EPHI/PHI Data must be registered with the CUIMC Information Security Office. All Systems that process, transmit and/or store non-EPHI/PHI Sensitive Data and/or Confidential Data must be registered with the CU Information Security Office. Registration will be carried out in accordance with the procedures established by each such Office.

The Columbia University’s Data Classification Policy defines sensitive data as: any information protected by federal, state or local laws and regulations or industry standards, such as HIPAA, HITECH, the New York State Information Security Breach and Notification Act, similar state laws and PCI-DSS, including but not limited to Personally Identifiable Information (PII) and Protected Health Information (PHI).   

Currently the above systems need to be registered in the risk assessment application, RSAM.

Please see our FAQ for any questions you may have, or if you have having trouble with RSAM, review our RSAM User Guides. If you have any other questions about the program at all, please email us at [email protected].

Our Services

For general inquiries, please email us at [email protected]

Location

Studebaker Building
615 West 131st Street
New York, NY 10027