Information Technology Risk Management

Evaluating IT environments for controls and processes to assess compliance with security best practices and Columbia University policies and standards.

Responsibilities

​​​​​​​

ITRM Framework Assessment

Evaluating security controls and processes of IT environments and IT assets to assess alignment with Columbia University’s ITRM (Information Technology Risk Management) framework.

Central Applications' and Systems' Security Assessments

Review of central (CUIT managed) system/application controls to assess compliance with security best practices and Columbia University policies and standards.

Decentralized Applications and Systems Assessments

Review of decentralized (Columbia's School and departmental) systems and applications containing sensitive data to assess compliance with security best practices and Columbia University policies and standards.

IT Security Evaluation for Projects and SDLC

Providing security control recommendations during project lifecycle and Systems Development Life Cycle (SDLC).

External IT Services Vendor Security Assessments

Evaluation of external vendor's overall security posture to assess alignment with Columbia University policies.

Risk Registry and Remediation

Tracking remediation plans and efforts for resolution/mitigation of identified control gaps from assessment results.

IT Policy Work

Maintains current and creates new IT Policies as needed, publishes updates to the Administrative Policy Library (APL), and revises online security training platform accordingly

The University’s “Information Security Risk Management Policy”  establishes the Information Security Risk Management Program to perform risk analyses of information resources that store or process University data. The Information Security Risk Management Program is charged with ensuring that the University is operating at an acceptable level of risk with regards to the confidentiality, integrity, and availability of its information resources.

An important part of the Risk Management program is the risk assessment process. This includes registering the following systems in compliance with Columbia University's Registration and Protection of Systems Policy:

  • All systems located on Columbia University’s Morningside Heights or Manhattanville campuses that process, transmit and/or store sensitive data must be registered with the CU Information Security Office.
  • All systems located at CUMC must be registered with the CUMC Information Security Office.

The Columbia University’s Data Classification Policy defines sensitive data as: any information protected by federal, state or local laws and regulations or industry standards, such as HIPAA, HITECH, the New York State Information Security Breach and Notification Act, similar state laws and PCI-DSS, including but not limited to Personally Identifiable Information (PII) and Protected Health Information (PHI).   

Currently the above systems need to be registered in the risk assessment application, RSAM.

Please see our FAQ for any questions you may have, or if you have having trouble with RSAM, review our RSAM User Guides. If you have any other questions about the program at all, please email us at cuit-risk@columbia.edu.

Our Services

Location

Studebaker Building
615 West 131st Street
New York, NY 10027

Information Technology and Risk Management team
Information Technology and Risk Management team

For general inquiries, please email us at cuit-risk@columbia.edu