Information Security Risk Management

The purpose of this policy is to ensure that UTAS-Sur identifies and determines information security risks related to its information systems, considering the threats and vulnerabilities that these systems suffer from and their impact on workflow. The university also plans to mitigate the risks associated with information security that have been identified. 

This policy applies to all members of UTAS-Sur, whether on a temporary or permanent basis as well as any third parties working with or contracted by the university, it covers all environments where the university’s information systems are operated.  

Information Systems and Educational Technologies Center.

‏Assistant Vice Chancellor for UTAS – Sur.

Any violation of this policy by all members or third parties (suppliers, contractors, business partners, etc.) will be subject to disciplinary and legal actions in accordance with the laws of the Sultanate of Oman, including regulations related to cybersecurity, university’s policies, labor laws, and electronic transactions. 

 University Commitment to Information Security Risk Management: 

• The university administration must ensure that information security risks are identified and managed effectively, efficiently, and promptly, taking into account the impact of these risks on the university’s activities. 

 

 Risk Assessment Based on Workflow: 

• Information security risks must be assessed and managed as part of the university’s business activities, such as daily workflow operations, information system operations, and others, by ensuring the proper application of information security policies, procedures, and standards. 

• Risks can be assessed at multiple levels depending on the level of detail required. The approach of employees and relevant third parties in assessing the university’s information system risks should be based on the sensitivity and importance of those systems to the organization, considering the security classification assigned to those systems. 

 

The assessment of risks for all information systems should include: 

• Information gathering about the hardware, software, API and the data type and its classification. 

• Threat sources and vulnerabilities Identification 

• Identifying the required security controls for the information systems. 

• Evaluating the status of those controls through discussions with key stakeholders or by conducting appropriate security audits. 

 

The university must conduct a detailed review of the security standards specified for information systems classified as high-risk by following a formal information security risk assessment methodology. This methodology may require a detailed analysis of the structure and properties of information systems, the threats and vulnerabilities identified in those systems, and the security classification related to the identified observations, taking into account the impact on the university’s operations. 

Information Systems and Educational Technologies Center is responsible for planning and conducting risk assessments for the systems under their responsibility.

 

Risk Mitigation and Acceptance: 

• The university should appropriately address information security risks that have been identified as part of the risk assessment process. 

• The observations identified during the risk assessment process should be reviewed in terms of their impact on the university and the technical nature of the risk. Additionally, the appropriate personnel and mitigation measures related to operations or technology should be identified, and recommendations should be raised to the university administration for approval and effective implementation.

This policy shall take effect from the approval date.