Risk Acceptance

It is understood that it is not possible to eliminate all information security risk from an organization. The University of Cincinnati (UC) is committed to mitigate risk to a level that is prudent or that would be acceptable to a “reasonable person.”

It is, therefore, the general policy of UC that all organizations are required to take steps to reduce risk, as it pertains to information security, to a level established as best practice.

Where an organization elects not to institute a control or process to reduce the risk any further, and there is still a question as to whether the risk is reasonable, the associated risk or vulnerability must be clearly communicated, documented and accepted by UC leadership and/or their designee.

All organizations within the University of Cincinnati are required to follow information security best practices and university policies with respect to the mitigation of risk, except where there exists a strong business reason to exempt an organization from a particular recommendation, practice or policy.

Unmitigated information security risk must be documented and accepted via a Risk Acceptance Form (RAF), by the business owner and approved by the Office of Information Security (OIS.) Appropriate mitigating controls must be implemented and documented, by the business owner, prior to approval.

OIS is responsible for the maintenance of the RAFs as they pertain to information security. The business owner is ultimately responsible for the risk and by signing the RAF is accepting that responsibility. RAFs must be reviewed, revised and approved on an annual basis.

Please contact the Office of Information Security to start the Risk Acceptance process by emailing: infosec@ucmail.uc.edu

RAF Field Descriptions

• Issued: 1/4/2008
• Revised: 10/1/2013
• Reviewed: 3/4/2016
• Revised: 7/20/2016
• Revised: 10/25/2017
• Revised: 09/26/2018
• Reviewed: 09/25/2019
• Reviewed: 09/03/2021