| Control ID |
Control Description | Data Protection Classification | ||||||
| Level 1 | Level 2 | Level 3 | Level 4 | |||||
| RA-1 | Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of the University’s data | required | required | essential | essential | |||
| RA-2 | Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. | required | required | essential | essential | |||
| RA-3 | Remediate vulnerabilities in accordance with risk assessments. | essential | essential | essential | essential | |||