Problem statement: Most institutions recognize the critical role that information security risk management plays in supporting their missions and objectives. Often, institutions do not pay enough attention towards assessing effectiveness of existing security measures. They are also unable to respond to new security threats in reasonable time. Furthermore, new laws are also forcing institutions to manage security risk more closely and effectively than in the past.
Approach: In this study, metric based assessment and exception handling plan has been proposed, specific to the needs of an academic environment. Organization structure and reporting strategy which is crucial for effective implementation and monitoring is also proposed.
Discussion and Conclusion: Proposed assessment metric enables small institutions to make a moderate but quick start, as essential measures are identified and prioritized. As and when institutes gain more experience and resources, remaining levels of the metric can also be implemented. Secondly, to reduce response time, a novel role based communication of exceptions is proposed. Responsibilities are distributed across the institution and security exceptions are reported directly to the predefined roles, responsible for that particular security control. The proposed plan will improve overall risk management with quick response time.