Re: memorandum of understanding for risk transfer

[Brad Judy <brad.judy () CU EDU>]

You can see the document for this process at the University of Colorado here: 
http://www.cu.edu/sites/default/files/Information-Risk-Acceptance-Process-CJ.doc

Brad Judy

Director of Information Security
University Information Systems
University of Colorado
1800 Grant Street, Suite 300
Denver, CO  80203
Office: (303) 860-4293
Fax: (303) 860-4302
www.cu.edu<http://www.cu.edu>

[cu-logo_fl]

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Glen 
Shere
Sent: Monday, October 26, 2015 12:28 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] memorandum of understanding for risk transfer


I am searching for examples of, or templates for, a memorandum of understanding prepared by information security staff 
and endorsed by senior management, that:
(a) documents an identified and ongoing information security risk;
(b) documents that senior management elects to accept the identified risk rather than allocate resources required to 
address it; and
(c) explicitly releases information security staff from accountability for managing that risk.

If your organization has a standard template to create this documentation as the need arises, I am interested in what 
ever you can share. Real examples are even better, but given the frequently sensitive nature of these documents, I am 
interested only in the documents you are comfortable sharing.

I recall that several attendees of the EDUCAUSE Security Professionals Conference called these "risk transfer memos", 
but various permutations of that Google search does not yield anything useful. If you call them something else, what do 
you call them?

Thank you in advance.
Glen Shere
Ohio Northern University