1. Update the risk assessment based on changes which have occurred since the previous review.
2. Evaluate the continuing applicability of current policies, guidelines, standards and procedures.
3. Review periodically all non-compliance situations concerning security policy and practices.
4. Determine the appropriate recourse for each non-compliance situation.

All University of Houston information assets, all security related policies and procedures and any non-compliance situation identified by the Information Security Officer or management regarding any existing security policy.

At appropriate times, the Vice Chancellor/Vice President for Information Technology should review the updated risk assessment, proposed changes to policies and procedures and all non-compliance situations to assess the risk of each situation, and determine the appropriate recourse.

1. The Information Security Officer should conduct a periodic risk assessment review of the overall information systems environment, current policies, procedures, guidelines and standards and all incidents of non-compliance.
2. The risk assessment should be reviewed annually or whenever significant systems changes are implemented.
3. The revised risk assessment should be presented to the VC/VPIT for acceptance.
4. The revised policies, etc., should be presented to the VC/VPIT for formal approval.
5. Incidents of non-compliance should be brought to the attention of the VC/VPIT and one of two actions will be taken:
   • The VC/VPIT should identify those policies which require mandatory compliance and determine the corrective measures to be taken to ensure compliance.
   • The VC/VPIT should determine those policies where the cost of compliance outweighs the loss exposure. In either case, the VC/VPIT has the option to waive compliance to the policy and accept the risks.