Data Security Risk Assessment Policy

Data Security Risk Assessment Policy/Decmber 2018

PURPOSE

The purpose of the Data Risk Assessment Policy is to protect the confidentiality, integrity, and availability of UWCCI data in compliance with applicable state and federal laws and regulations, UWCCI has a formal information security risk management process that identifies risks and implements plans to address and manage them.

POLICY STATEMENT Donor data is a valuable asset to the United Way of Clinton County, Iowa and require appropriate protection. A formal Data Security Risk Management (DSRM) program consistently identifies and tracks information security risks, implements plans for remediation, and provides guidance for strategic resource planning. It is critical that the UWCCI administer formal DSRM processes, in order to facilitate compliance with applicable state and federal laws and regulations, protect the confidentiality, integrity, and availability of UWCCI data, and enable informed decisions regarding risk tolerance and acceptance.

The UWCCI Finance Committee is responsible for managing the Data Security Risk Management program and coordinating the development and maintenance of program policies, procedures, and standards. The Data Security Risk Management program includes the process for managing exceptions to the policy and the risk acceptance process. It includes but is not limited to: o Passwords ED\Policies Data Security Risk Assessment Policy 2 o System and data backups o Firewall and virus protection

The Finance Committee develops an annual information security risk assessment plan in consultation with staff and Board. See sample attachment. Risk assessments are performed on information assets, systems, processes and controls, based on risk criticality.

Staff and Board must identify all collections and uses of private data, collaborate with the Finance Committee to complete information security risk assessments, and develop and implement a risk treatment plan. Staff and Board must report updates to the risk treatment plan to the Finance Committee. The Finance Committee Board must share results of risk assessments, and any associated risk treatment plans with the Board of Trustees.