Information Security Risk Management Policy
v2.0
Document Name: Information Security Risk
Management Policy
Printed on: 8/23/2024
• External system components are those owned, operated, maintained, and controlled by
any entity other than Trinity, but for which such external resources may impact the
confidentiality, integrity, and availability (CIA) and overall security of the description of
"Internal system components".
• While Trinity does not have the ability to provision, harden, secure, and deploy another
organization’s system components, the University will follow best practices by obtaining
all relevant information ensuring that such systems are safe and secure.
Exceptions:
In a few instances, Trinity systems may require to be exempted from the Information Security
Risk Management Policy due to possible technical difficulties or third-party contractual
obligations. Any such exceptions to the current policy must be documented and approved via
the Trinity’s Exceptions Management Process.
Policy Content
Implementing and adhering to organizational policies and procedures is a collaborative effort,
requiring a true commitment from all personnel, including management, internal employees, and users
of system components, along with vendors, contractors, and other relevant third parties. Additionally,
by being aware of one’s roles and responsibilities as it pertains to the University information systems,
all relevant parties are helping promote the Confidentiality, Integrity, and Availability (CIA) principles
for information security in today’s world of growing cybersecurity challenges.
Responsibilities include providing overall direction,
guidance, leadership, and support for the entire
information systems environment, while also
assisting other applicable personnel in their day-to-
day operations.
Internal Employees and Users
Responsibilities include adhering to the
organization’s information security policies,
procedures, practices, and not undertaking any
measure to alter such standards on any University
system components. Additionally, Users are to report
instances of non-compliance to senior authorities,
specifically those by other users. Users, while
undertaking day-to-day operations, may also notice
issues that could impede the safety and security of