Risk Level (filled in by UCIT OIS)
Department: Enrollment Management/Admissions
RAF# 0020
UCIT Office of Information Security (OIS)
University of Cincinnati
Mail Drop 0658
(513) 556-0803
Risk Acceptance Form (RAF) – Vulnerability Assessments
Name and title of Originator: John Smith, Title
Summary of Request:
Allow SNMP vulnerability dated 2-5-09 to exist on networked printer located at xx.xx.xxx used by the
department of …. . The vulnerability on this printer cannot be remediated.
Overview of Service Impacted:
This printer is a color printer.
Benefits of Accepting This Risk:
The department will be able to continue using the printer, which poses no additional replacement cost to
UC.
Summary of How Doing This Will Put UC at Risk:
(By putting the solution in place as is what Risk does this cause to UC? If there are known vulnerabilities left in place by implementing
this solution list them here.)




SNMP Guessable Community allows attacker to access printer software
Unauthorized access to printer
Could allow an attacker to change device configurations using a spoofed IP address
Could allow an attacker to sniff traffic that crosses the UC network using the printer as an entry point
Summary of Information Security Controls:
(Describe the technical and procedural controls implemented to address the vulnerabilities and risks above. How are you going to
Minimize or mitigate the risk this solution causes? If you are not putting any controls in place simply say “None”.
This is a locked room, access is limited. Printer is turned off at night. Printer is password protected.
Are Security controls documented? ( Y / N ) If so where can the documentation be found?
Admissions department SharePoint site under Standard Operating Procedures (for example)
UCIT OIS Form 40.b
Official Use Only
Version 6.0, 02/26/2013
After Controls what is the remaining Risk and what is the Risk Level:
(Describe the type and magnitude of remaining vulnerabilities and risks after controls have been implemented.)




Could allow an attacker to sniff traffic that crosses the UC network using the printer as an entry point
SNMP Guessable Community allows attacker to access printer software
Unauthorized access to printer
Could allow an attacker to change device configurations using a spoofed IP address
This part to be filled out by UCIT OIS: What is the assessed Risk Level Associated with this RAF?
Risk Acceptance Request:
The service, application or business owner is seeking a risk acceptance decision for the following
deployment scope and duration. If externally sourced, basic information on the contract is provided.
I have reviewed this Security Risk Summary content. I agree that the business benefit and outstanding risk
have been adequately identified and are documented accurately. My Director/VP is aware of this
request.
Signed by: (Actual signature here, not electronic), Service or Business Owner Signature Date:
Security Risk Decision Documentation:
(check decision, fill in relevant information and sign.)
 No. I find the residual risk greater than the potential business benefit. This risk acceptance request is
denied.
 Yes, with reduced Scope. I accept responsibility for the outstanding risk related to the deployment
provided use is reduced and limited per comments below:
 Yes for temporary period while controls are improved. I accept responsibility for the outstanding
risks related to the deployment and use of this application or service; however, I find the current level
of control inadequate. I would like work to begin to improve controls as noted below.
List Scope and timing constraints and/or Controls requested:
 Unqualified Yes. I understand and accept responsibility for the outstanding risk related to the
deployment and use of this application or service for the requested scope and timeframe. I find the
current controls adequate, additional controls need not be applied.
Date of Next Review:
UCIT OIS Form 40.b
To be filled In by OIS (at least annual)
Official Use Only
Version 6.0, 02/26/2013
Information Security risks to the business and potential benefits were clearly explained.
Signed by:
Signature Date:
Name:
Bo Vykhovanyuk
Title:
Assistant Vice President___________________
Department: UCIT Office of Information Security
Due to the potential risk and/or business impact related to this request I have deemed that this risk needs
to be reviewed and approved or denied by a University Executive officer (CIO or President).
 Yes this Risk needs further review.
 No, this Risk needs no further review.
Due to the potential risk and/or business impact related to this request I have deemed that this risk needs
to be reviewed and approved or denied by a University Executive officer (CIO or President).
 Yes this Risk needs further review.
 No, this Risk needs no further review.
 Yes, this Risk can be accepted.
 No, this Risk cannot be accepted.
Signed by:
Signature Date:
(Print) Name: Nelson Vincent, EdD
Title: CIO and Associate Dean
Department: UCIT
 Yes, this Risk can be accepted.
 No, this Risk cannot be accepted.
Signed by:
Signature Date:
(Print) Name: Beverly Davenport
Title: Sr. Vice President and Provost__
Department: Office of the Senior Vice President for Academic Affairs & Provost
UCIT OIS Form 40.b
Official Use Only
Version 6.0, 02/26/2013
Appendix A
Terms







Acceptable risk - A term used to describe the minimum acceptable risk that an organization is
willing to take.
Countermeasure or safeguards - Controls, processes, procedures, or security systems that help to
mitigate potential risk.
Exposure - When an asset is vulnerable to damage or losses from a threat.
Exposure factor - A value calculated by determining the percentage of loss to a specific asset
because of a specific threat.
Residual risk - The risk that remains after security controls and security countermeasures have
been implemented.
Risk management - The process of reducing risk to assets by identifying and eliminating threats
through the deployment of security controls and security countermeasures.
Risk analysis - The process of identifying the severity of potential risks, identifying vulnerabilities,
and assigning a priority to each. This may be done in preparation for the implementation of
security countermeasures designed to mitigate high-priority risks.
Criticality Matrix
Most Critical
Highest level of
sensitivity
Critical
Moderate level of
sensitivity
Legal Requirements
Protection of data is
required by law (e.g.,
HIPAA and FERPA data
elements and other
personal identifying
information protected
by law)
The institution has a
contractual obligation to
protect the data (e.g.,
bibliographic citation
data, bulk licensed
software)
Reputation Risk
High
Medium
Other Institutional
Risks
Information that
provides access to
resources, physical or
virtual
Smaller subsets of
Most Critical data
from a school, large
part of a school, or
department
Data Examples








UCIT OIS Form 40.b
Medical
Student
Prospective
student
Personnel
Donor or
prospect
Financial
Contracts
Physical plant



Official Use Only
Information
resources with
access to Most
Critical data
Research detail
or results that
are not Most
Critical
Library
transactions
Least Critical
Very low, but still
requiring some protection
Low




Campus maps
Personal
directory data
(e.g., contact
information)
E-mail
Institutionally
published public
data
Version 6.0, 02/26/2013


detail
Credit card
numbers
Certain
management
information


(e.g., catalog,
circulation,
acquisitions)
Financial
transactions
that do not
include Most
Critical data
(e.g., telephone
billing)
Very small
subsets of Most
Critical data
The Risk Matrix
To determine the degree of urgency attached to a given situation, refer to this table.
Impact
The Risk Matrix
High
High
Probability Medium
Low
Medium Low
A
B
C
A
B
C
B
C
C
Risk Assessment
The UCIT Office of Information Security will assist with Risk Assessment upon request.
UCIT OIS Form 40.b
Official Use Only
Version 6.0, 02/26/2013