The college will identify and document risks, including both internal and external threats, through regular risk assessments and maintains a comprehensive risk register to ensure proactive management and mitigation strategies are in place.

The college shall conduct recurring risk assessments to quantify and evaluate the likelihood and potential impact of unauthorized access, use, disclosure, disruption, modification, or destruction of the college's systems and data. These assessments shall be carried out regularly to ensure that the organization's risk posture is continuously monitored and mitigated against potential threats.

The college will maintain a risk register that aligns with NIST 800-53r5 controls and facilitates ongoing monitoring and reporting of risks related to its digital infrastructure and data assets.

The college shall regularly conduct vulnerability assessments and prioritize identified vulnerabilities based on industry-recognized risk management practices, such as NIST 800-53r5 controls, to ensure timely mitigation of high-risk security threats.

The college shall develop and maintain a formal incident response plan that includes procedures for responding to findings from cybersecurity and data privacy assessments, incidents, and audits. This plan shall outline the process for proper remediation of identified issues to mitigate risks and ensure the security and privacy of the college's information systems and data assets.

The college shall proactively identify and assess cybersecurity risks to its systems and data. Furthermore, the college shall develop and implement compensating countermeasures to mitigate identified risks and reduce exposure to potential threats.

The college shall comply with NIST 800-53r5 controls to ensure that industry-recognized cybersecurity and data privacy practices are integrated into the specification, design, development, implementation, and modification of systems and services.