University of Illinois System

Information Risk Management Process 

As part of the new Illinois Security Program, there is a new three-step process for managing information risk:

  1. The first step is to assess information risks. This step involves identifying and prioritizing risks to your data. First by identifying all the data you work with. There are four data classification levels identified by DAT01 which are High Risk, Sensitive, Internal, and Public. More detail on these levels can be read on the Data Classification page. Second, consider the risks imposed by your data exposer. Are you at risk for internet hacking, stolen laptops, or do regulations cover your data? Use this risk level assessment to assess your information risk,
  2. The second step to implement the Information Security Program. The goal of this step is to reduce or eliminate the risks identified in the previous step. This is a very pragmatic way to implement information security: the focus is on business risks and not on the latest available technology. The Illinois Security Standards map to data classifications for the purpose of implementing the university security program in your unit. 
  3. The third step is to verify compliance, with both the Information Security Program and with applicable laws and regulations. This step assures the business owners that information risks are being managed. The University conducts an annual assessments to evaluate current compliance as well as discover where additional resources are needed. 

Using this three-step process, all departments can make measurable improvements to their information security–with a corresponding measurable reduction of their information risks. Reach out to for assistance in using the data classifications, security standards, and in conducting the annual assessment.

Security Program logo featuring the Data Policy and Information Security Policy circling the Information Security standards, control requirements, and job aids.