Data Risk Classification Policy
Data Risk Classification PolicyCategory: Information TechnologyResponsible Office: Vice President and Chief Information OfficerResponsible Executive: Vice President and Chief InformationOfficerDate Established: 05/24/2010Date Last Updated: 11/28/2017SummaryUB classifies its data into three risk-based categories to determine who is allowed to access the dataand what security precautions are required to protect the data. This policy facilitates applying theappropriate security controls to university data and assists data trustees in determining the level ofsecurity required to protect data.Policy StatementThe University at Buffalo (UB, university) is committed to protecting the confidentiality, integrity,and availability of data important to the university’s mission. All university data must be classifiedbased on risk category and protected using the appropriate security measures consistent with theminimum standards for the classification category. The standard for protecting the data becomesmore stringent as the risk from disclosure increases.DATA CLASSIFICATIONData RiskClassificationCategoryMinimumSecurityStandard, perNationalInstitute ofStandards andTechnologyRisk fromDisclosureDefinitionCategorization and Risk from Disclosure levels use theFederal Information Processing Standards (FIPS) 199Examples
DATA RISK CLASSIFICATION POLICYPAGE 2 OF 8DATA CLASSIFICATIONData RiskClassificationCategoryCategory 1RestrictedMinimumSecurityStandard, perNationalInstitute ofStandards andTechnology800-53-IRisk fromDisclosureHighDefinitionProtection of the data is requiredby law/regulation. The loss ofconfidentiality, integrity, oravailability of the data or systemcould have a significant adverseimpact on our mission, safety,finances, or reputation.Examples-Restricted data includes thedefinition of private information inthe New York State Security andBreach Notification Act as afoundation: bank account/creditcard/debit card numbers, socialsecurity numbers, state-issueddriver license numbers, andstate-issued non-driveridentification numbers.--To this list, the university policyadds protected health information(PHI) as defined and regulatedby HIPAA, computer passwords,other computer access protectiondata, and passport numbers.--Category 1- Restricted data areexempt from disclosure/releaseunder the New York StateFreedom of Information Law(FOIL). The Information SecurityBreach and Notification Actrequires the university to discloseany breach of the data to NewYork residents. (State entitiesmust also notify non-residents,see the New York StateInformation Security Policy.)Category 2PrivateNIST 800-53-IIModerateIndividuals who access, process,store, or in any other way handleCategory 1- Restricted data arerequired to implement controlsand security measures asrequired by relevant laws and/orregulations in addition to anyuniversity policy. In instanceswhere laws and/or regulationsconflict with university policy, themore restrictive policy, law, orregulation should be enacted.Includes university data notidentified as Category 1Restricted data, but includes dataprotected by state and federal--Social securitynumber (SSN)Driver licensenumberState-issuenon-driver IDnumberBank/financialaccount numberCredit/debitcard number(CCN)HIPAA regulatedPHI in any form(oral, paper,electronic)PassportnumberUniversity ITauthenticationcredentialsDocumentsprotected byattorney-clientprivilegeDonor contactinformation andnon-public giftinformationFERPA-protecteddataGramm-Leach Blileydata
DATA RISK CLASSIFICATION POLICYPAGE 3 OF 8DATA CLASSIFICATIONData RiskClassificationCategoryMinimumSecurityStandard, perNationalInstitute ofStandards andTechnologyRisk fromDisclosureDefinitionregulations. This includes FamilyEducational Rights and PrivacyAct (FERPA) protected studentrecords and electronic recordsthat are specifically exemptedfrom disclosure by the New YorkState FOIL.Private data must be protected toensure that they are notdisclosed in a FOIL request.FOIL excludes data that ifdisclosed would constitute anunwarranted invasion of personalprivacy.The NIST Special Publication800-171 Protecting ControlledUnclassified Information inNonfederal Information Systemsand Organizations maps to theCategory 2 - Private data riskclassification.-----ExamplesFinal course gradesExam questions oranswersHR employmentdataLaw enforcementinvestigation data,judicial proceedingsdata includesstudent disciplinaryor judicial actioninformationPublic SafetyinformationIT infrastructure dataCollective bargainingnegotiation data,contract negotiationdataTrade secret dataProtected datarelated to researchUniversityintellectual propertyUniversityproprietary dataData protected byexternal nondisclosureagreementsInter- or intra-agencydata which are not:statistical or factualtabulations;instructions to staffthat affect the public;final agency policy ordetermination;external audit dataUniversity personnumberLicensed softwareIntellectual PropertyInformation createdby a health careprovider and used ormaintained for thepurposes of patienttreatment, patientpayment, or healthcare provideroperations that is notregulated by HIPAA.
DATA RISK CLASSIFICATION POLICYPAGE 4 OF 8DATA CLASSIFICATIONData RiskClassificationCategoryCategory 3PublicMinimumSecurityStandard, perNationalInstitute ofStandards andTechnologyNIST 800-53-IIIRisk fromDisclosureLowDefinitionIncludes university data notincluded in Category 1Restricted and Category 2Private, and the data is intendedfor public disclosure, or the lossof confidentiality of the data orsystem would have no adverseimpact on our mission, safety,finances, or reputation.Public data includes any datathat is releasable in accordancewith FOIL. This category alsoincludes general access data,such as that available onunauthenticated portions ofinstitution's website. Public datahas no requirements forconfidentiality, however, systemshousing the data should takereasonable measures to protectits accuracy.---ExamplesUniversity financialdata or businessrecords available tothe publicMeeting minutesAdministrativeprocess dataData aboutdecisions that affectthe publicOther universitypublic dataGeneral accessdata, such as that onunauthenticatedportions of theinstitution’s websiteProtected Health Information (PHI)The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule provides federalprotections for personal health information held by covered entities and gives patients an array ofrights with respect to that information. At the same time, the Privacy Rule is balanced so that itpermits the disclosure of personal health information needed for patient care and other importantpurposes. Information regulated by HIPAA may be used/maintained/disclosed within or outside ofthe university only as specifically permitted by the HIPAA regulations.BackgroundUniversity academic and administrative data are valuable assets and often contain detailedinformation about the university, as well as personal information about faculty, staff, students, andother third parties affiliated with the university. Protecting the information is driven by importantconsiderations including legal, academic, financial, reputation, and other business requirements. Thispolicy provides a framework for classifying university data based in its level of sensitivity, value, andcriticality. Classifying data helps determine baseline security controls to protect the data.ApplicabilityThis policy applies to all university data and to all user-developed data sets and systems that mayaccess these data regardless of the environment where the data reside (e.g., cloud systems, servers,personal computers, mobile devices). The policy applies regardless of the media on which data
DATA RISK CLASSIFICATION POLICYPAGE 5 OF 8reside (e.g., electronic, printouts, CD, microfiche) or the form they may take (e.g., text, graphics,video, voice).Data that is personal to the operator of a system and stored on a university information technology(IT) resource as a result of incidental personal use is not considered university data. University datastored on non-university IT resources must still be verifiably protected according to the respectiveuniversity minimum security standards.Failure to adhere to these policies and procedures may result in corrective measures. Correctivemeasures will be administered to a degree commensurate with the violation and in compliance withapplicable collective bargaining agreements and/or applicable laws, regulations, and policies.DefinitionsCategory 1- RestrictedProtection of the data is required by law/regulation. The loss of confidentiality, integrity, oravailability of the data or system could have a significant adverse impact on our mission, safety,finances, or reputation.Restricted data includes the definition of private information in the New York State Security and BreachNotification Act as a foundation: bank account/credit card/debit card numbers, social securitynumbers, state-issued driver license numbers, and state-issued non-driver identification numbers. Tothis list, university policy adds protected health information (PHI), computer passwords, othercomputer access protection data, and passport numbers.Category 1- Restricted data are exempt from disclosure/release under the New York State Freedom ofInformation Law (FOIL). The Information Security Breach and Notification Act requires the university todisclose any breach of the data to New York residents. (State entities must also notify non-residents,see the New York State Information Security Policy.)Individuals who access, process, store, or in any other way handle Category 1 Restricted data arerequired to implement controls and security measures as required by relevant laws and/orregulations in addition to any university policy. In instances where laws and/or regulations conflictwith university policy, the more restrictive policy, law, or regulation should be enacted.Category 2- PrivateIncludes university data not identified as Category 1- Restricted data, but includes data protected bystate and federal regulations. This includes Family Educational Rights and Privacy Act (FERPA)protected student records and electronic records that are specifically exempted from disclosure bythe New York State FOIL.Private data must be protected to ensure that they are not disclosed in a FOIL request. FOILexcludes data that if disclosed would constitute an unwarranted invasion of personal privacy.The NIST Special Publication 800-171 Protecting Controlled Unclassified Information in Nonfederal InformationSystems and Organizations maps to the Category 2 - Private data risk classification.Category 3- Public
DATA RISK CLASSIFICATION POLICYPAGE 6 OF 8Includes university data not included in Category 1- Restricted and Category 2- Private, and the datais intended for public disclosure, or the loss of confidentiality of the data or system would have noadverse impact on our mission, safety, finances, or reputation.Public data includes any data that is releasable in accordance with FOIL. This category also includesgeneral access data, such as that available on unauthenticated portions of institution's website. Publicdata has no requirements for confidentiality, however, systems housing the data should takereasonable measures to protect its accuracy.Data ManagersUniversity officials and their staff who have operational-level responsibility for informationmanagement activities related to the capture, maintenance, and dissemination of data.Data OwnerThe University at Buffalo is considered the data owner of all university institutional data; individualunits or departments may have stewardship responsibilities for portions of the data.Data StewardsUniversity officials who have planning and policy-level responsibilities for data in their functionalareas.Data TrusteesSenior leaders of the university (i.e., vice presidents, vice provosts, and deans) who haveresponsibility for areas that have systems of record.Data UsersIndividuals who need and use university data as part of their assigned duties or in fulfillment of theirrole in the university community.ResponsibilityVice President and Chief Information Officer Oversee the implementation of this policy.Data Manager Administer activities delegated by data stewards. Maintain physical and system security and safeguards appropriate to the classification level of thedata in their custody.Data Steward Manage defined elements of institutional data. Implement and apply safeguards that meet or exceed the minimum safeguards for each dataclassification. Safeguards are determined by the individual unit, but guidance may be provided bythe Information Security Office with respect to minimum expectations.Data Trustee Ensure that data stewards in their area are compliant with data governance principles.
DATA RISK CLASSIFICATION POLICYPAGE 7 OF 8Data User Maintain the confidentiality, integrity, and availability of university data. Implement appropriate safeguards to protect data. Follow all university policies, procedures, and standards related to data security classification andsecurity level, including applicable federal and state laws.Contact InformationOffice of the Vice President and Chief Information Officer517 Capen HallBuffalo, NY 14260Phone: 716-645-7979Email: cio@buffalo.eduWebsite: http://www.buffalo.edu/ubit.htmlInformation Security Office201 Computing CenterBuffalo, NY 14260Phone: 716-645-6997Email: sec-office@buffalo.eduWebsite: http://security.buffalo.eduRelated InformationUniversity LinksData Risk Classification Policy AppendixFreedom of Information Law (FOIL)Information Security: Data Access and Security PolicyProtection of University Data PolicyRelated LinksFamily Educational Rights and Privacy Act (FERPA) dex.html)Freedom of Information Law (Foil) Procedures nt-84/D110 1-9-03.pdfGramm-Leach Bliley Act rivacy-and-security/gramm-leach-blileyact)HIPAA regulated Protected Health Information ex.html)New York State Freedom of Information Law (FOIL) (https://www.dos.ny.gov/coog/foil2.html)New York State Information Security Policy (https://its.ny.gov/eiso/policies/security)New York State Office of Information Technology Services Information Classification lassification-standard)New York State Security and Breach Notification Act (https://its.ny.gov/eiso/breach-notification)NIST Special Publication 800-171 Protecting Controlled Unclassified Information in Nonfederal Information Systemsand Organizations ons/NIST.SP.800-171.pdf)
DATA RISK CLASSIFICATION POLICYPAGE 8 OF 8HistoryNovember 2017Full review. Updated the policy to: change the title of the policy from Data Classification Standard/DataUse Standard to Data Risk Classification change the number of classification categories from four (i.e.,Category I: Regulated Private Data; Category II: Protected Data;Category III: Internal Use Data; Category IV: Public Data) to three(i.e., Category 1 – Restricted, Category 2 – Private, Category 3 –Public); this change aligns the UB categories with the New York StateOffice of Information Technology Services Information ClassificationStandard revise data role terminology add HIPAA compliance reference provide additional data risk classification guidance including FIPS 199 Security Categorization Definitions Security Standard Crosswalks Example Templates
DATA RISK CLASSIFICATION POLICYAPPENDICESAppendix A: FIPS 199 Security Categorization Definitions . 2Appendix B: Security Standard Crosswalks . 4Appendix C: Example Templates . 7Data Risk Classification Policy AppendicesOctober 20171
Appendix A: FIPS 199 Security Categorization DefinitionsFIPS 199 Security Categorization DefinitionsSecurity ObjectiveLowConfidentialityThe unauthorizedPreserving authorizeddisclosure ofrestrictions oninformation could beinformation access andexpected to have adisclosure, includinglimited adversemeans for protectingeffect onpersonal privacy . [44 U.S.C.,organizationalSEC. 3542]assets, or individuals.ModerateThe unauthorizeddisclosure ofinformation could beexpected to have aserious adverseeffect onorganizationaloperations,organizationalassets, or individuals.HighThe unauthorizeddisclosure ofinformation could beexpected to have acatastrophic adverseeffect onorganizationaloperations,organizational assets,or individuals.IntegrityGuarding againstimproper informationmodification ordestruction, andincludes ensuringinformationnon-repudiationand authenticity.[44 U.S.C., SEC. 3542]The unauthorizedmodification ordestruction ofinformation could beexpected to have alimited adverseeffect onorganizationaloperations,organizationalassets, or individuals.The unauthorizedmodification ordestruction ofinformation could beexpected to have aserious adverseeffect onorganizationaloperations,organizationalassets, or individuals.The unauthorizedmodification ordestruction ofinformation could beexpected to have acatastrophic adverseeffect onorganizationaloperations,organizational assets,or individuals.AvailabilityEnsuring timely andreliable access to anduse of information.[44 U.S.C., SEC. 3542]The disruption ofaccess to or use ofinformation or aninformation systemcould be expected tohave a limitedadverse effect onorganizationaloperations,organizational assets,or individuals.The disruption ofaccess to or use ofinformation or aninformation systemcould be expected tohave a seriousadverse effect onorganizationaloperations,organizational assets,or individuals.The disruption ofaccess to or use ofinformation or aninformation systemcould be expected tohave a catastrophicadverse effect onorganizationaloperations,organizational assets,or individuals.Additional References: 32 CFR Part 2002, Controlled Unclassified 2/part-2002 Federal Information Security Modernization Act of 2014 (P.L. 113-283), December 2014.Data Risk Classification Policy AppendicesOctober 20172
LAW-113publ283.pdfExecutive Order 13556, Controlled Unclassified Information, November f/2010-28360.pdfExecutive Order 13636, Improving Critical Infrastructure Cybersecurity, February f/2013-03915.pdfNational Institute of Standards and Technology Federal Information Processing StandardsPublication 199 (as amended), Standards for Security Categorization of Federal Information andInformation Systems. S-PUB-199-final.pdfNational Institute of Standards and Technology Federal Information Processing StandardsPublication 200 (as amended), Minimum Security Requirements for Federal Information andInformation Systems. S-200-final-march.pdfNational Institute of Standards and Technology Special Publication 800-53 (as amended),Security and Privacy Controls for Federal Information Systems and 0-53r4National Institute of Standards and Technology Special Publication 800-60 (as amended), Guidefor Mapping Types of Information and Information Systems to Security Categories, Volume 0-rev1/SP800-60 Vol1-Rev1.pdfNational Institute of Standards and Technology Special Publication 800-60 (as amended), Guidefor Mapping Types of Information and Information Systems to Security Categories, Volume 0-rev1/SP800-60 Vol2-Rev1.pdf6. NationalInstitute of Standards and Technology Framework for Improving Critical InfrastructureCybersecurity (as amended). http://www.nist.gov/cyberframeworkCommittee on National Security Systems Instruction 4009 (as amended), National InformationAssurance Glossary. https://www.cnss.govNational Institute of Standards and Technology Special Publication 800-171New York State Freedom of Information LawData Risk Classification Policy AppendicesOctober 20173
Appendix B: Security Standard CrosswalksNIST Special Publication 800-171 – Protecting Controlled Unclassified Information inNonfederal Information Systems and OrganizationsSource: ns/NIST.SP.800-171.pdfData Risk Classification Policy AppendicesOctober 20174
NIST Special Publication 800-53 (Rev. 4) - Security Controls and Assessment Procedures forFederal Information Systems and OrganizationsSource: https://nvd.nist.gov/800-53/Rev4/control/RA-3Data Risk Classification Policy AppendicesOctober 20175
HIPAA Security Rule Crosswalk to NIST Cybersecurity - Category: Asset Management(ID.AM)CategoryAsset Management (ID.AM):The data, personnel, devices,systems, and facilities thatenable the organization toachieve business purposes areidentified and managedconsistent with their relativeimportance to businessobjectives and theorganization’s risk strategy.SubcategoryRelevant Control mappingsID.AM-5: Resources (e.g.,hardware, devices, data, andsoftware) are prioritized basedon their classification,criticality, and business value COBIT 5 APO03.03, APO03.04,BAI09.02 ISA 62443-2-1:2009 4.2.3.6 ISO/IEC 27001:2013 A.8.2.1 NIST SP 800-53 Rev. 4 CP-2,RA-2, SA-14 HIPAA Security Rule 45 C.F.R.§ 164.308(a)(7)(ii)(E )Source: fAdditional ialPublications/NIST.SP.800-171.pdfISO/IEC 27001 Relevant Security Controls - A.12.6.1* Management of technical vulnerabilitiesData Risk Classification Policy AppendicesOctober 20176
Appendix C: Example TemplatesRisk Classifications: The University has classified its information assets into risk-based categories forthe purpose of determining who is allowed to access the information and what security precautionsmust be taken to protect it against unauthorized access.Low RiskData and systems are classifiedas Low Risk if they are notconsidered to be Moderate orHigh Risk, and:Moderate RiskData and systems are classifiedas Moderate Risk if they are notconsidered to be High Risk, and:1. The data is intended forpublic disclosure, or1. The data is notgenerally available tothe public, or2. The loss ofconfidentiality,integrity, or availabilityof the data or systemwould have no adverseimpact on our mission,safety, finances, orreputation.2. The loss ofconfidentiality,integrity, or availabilityof the data or systemcould have a mildlyadverse impact on ourmission, safety,finances, or reputation.High RiskData and systems are classifiedas High Risk if:1. Protection of the data isrequired bylaw/regulation,2. University is required toself-report to thegovernment and/orprovide notice to theindividual if the data isinappropriatelyaccessed, or3. The loss ofconfidentiality,integrity, or availabilityof the data or systemcould have a significantadverse impact on ourmission, safety,finances, or reputation.Data Risk Classification Policy AppendicesOctober 20177
Data Risk Classification ExamplesUse the examples below to determine which risk classification is appropriate for a particular type ofdata. When mixed data falls into multiple risk categories, use the highest risk classification across all. Low RiskResearchdata (atdataowner'sdiscretion)SUNet IDsInformationauthorized to beavailable on orthroughUniversity'swebsite withoutSUNet IDauthenticationPolicy andproceduremanualsdesignatedby theowner aspublicJob postingsUniversitycontactinformationnot designatedby theindividual as"private" inUniversityInformation inthe publicdomainPubliclyavailablecampus maps Moderate RiskUnpublishedresearch data (atdata owner'sdiscretion)Studentrecords lications,personnel files,benefits, salary,birth date,personal contactinformationNon-publicUniversity policiesand policy manualsNon-public contractsUniversity internalmemos and email,non-public reports,budgets, plans,financial infoUniversity andemployee IDnumbersProject/Task/Award(PTA) numbersEngineering,design, tructure High RiskHealth Information,including ProtectedHealth Information(PHI)Health Insurancepolicy ID numbersSocial Security NumbersCredit card numbersFinancialaccountnumbersExport controlledinformation underU.S. lawsDriver's licensenumbersPassport andvisanumbersDonorcontactinformationand nonpublic giftinformationData Risk Classification Policy AppendicesOctober 20178
Server Risk Classification ExamplesA server is defined as a host that provides a network accessible service. Low RiskServers used te orHigh Risk DataFile serverused to storepublishedpublic dataDatabaseservercontainingSUNet IDsonly Moderate RiskServers handlingModerate Risk DataDatabase of nonpublic UniversitycontractsFile servercontaining nonpublicprocedures/documentationServer storingstudent records High RiskServers handlingHigh Risk DataServers managingaccess to othersystemsUniversity ITanddepartmentalemail systemsActive DirectoryDNSData Risk Classification Policy AppendicesOctober 20179
Application Risk Classification ExamplesAn application is defined as software running on a server that is network accessible. Low RiskApplicationshandling LowRisk DataOnline mapsUniversity onlinecatalog displayingacademic coursedescriptionsBus schedules Moderate RiskApplicationshandlingModerateRisk DataHumanResourcesapplicationthat storessalaryinformationDirectorycontaining phonenumbers, emailaddresses, andtitlesUniversityapplication thatdistributesinformation in theevent of a campusemergencyOnlineapplicationfor studentadmissions High RiskApplicationshandling HighRisk DataHumanResourcesapplication thatstoresemployee SSNsApplication thatstores campusnetwork ation ofdonor, alumnus, orother individualApplication thatprocesses creditcard paymentsData Risk Classification Policy AppendicesOctober 201710
Approved Services Example Template: This table indicates which classifications of data areallowed on a selection of commonly used approved university IT services.ServiceLow RiskModerateRiskHigh Risk:Non-PHI1High Risk: PHIAudio and Video Conferencing: Infrastructure Backups: Content Management: Content Management: Calendar: Database Hosting: Document Management: *Document Management: Document Management: *Document Management: *Email: Email: Email: Email: Encryption: Encryption: Encryption: File Storage: File Storage: File Storage: Data Risk Classification Policy AppendicesOctober 201711
ServiceFile Storage:File Transfer:Form Builder:GoogleInstant Messaging:Issue Tracking:Microsoft AzureNetwork Access Control:Request Tracking:Shared Computing:University Profiles:Survey Tool:Voice MessagingVPNWeb Programming:Wiki: ConfluenceLow RiskModerate RiskHigh Risk:Non- PHI1High Risk: PHI 1 Payment Card Industry (PCI) data has special regulatory requirements that preclude usingthe services above. Contact the PCI team for assistance with handling this type of data.* High Risk Data not currently permitted, pending Data Loss Prevention (DLP) solutiondeployment.Source: Stanford UniversityData Risk Classification Policy AppendicesOctober 201712
DATA RISK CLASSIFICATION POLICY PAGE 2 OF 8 DATA CLASSIFICATION Data Risk Classification Category Minimum Security Standard, per National Institute of Standards and Technology Risk from Disclosure Definition Examples Category 1- Restricted 800-53-I High Protection of the data is required by law/regulation. The loss of
Risk Matrix 15 Risk Assessment Feature 32 Customize the Risk Matrix 34 Chapter 5: Reference 43 General Reference 44 Family Field Descriptions 60 ii Risk Matrix. Chapter 1: Overview1. Overview of the Risk Matrix Module2. Chapter 2: Risk and Risk Assessment3. About Risk and Risk Assessment4. Specify Risk Values to Determine an Overall Risk Rank5
classification has its own merits and demerits, but for the purpose of study the drugs are classified in the following different ways: Alphabetical classification Morphological classification Taxonomical classification Pharmacological classification Chemical classification
Risk is the effect of uncertainty on objectives (e.g. the objectives of an event). Risk management Risk management is the process of identifying hazards and controlling risks. The risk management process involves four main steps: 1. risk assessment; 2. risk control and risk rating; 3. risk transfer; and 4. risk review. Risk assessment
Policy: Classification and Compensation Career Plan Policy. WEST VIRGINIA DEPARTMENT OF TRANSPORTATION. Policy No: DOT 3.34 Issue Date: 10/1/2020 Revised: 03/10/22 Page 2 of 14 . and a change in job classification to a lower job classification. 4.8 . Demotion without Prejudice: A reduction in pay or a change in job class ification
used in these Classification Rules have the meaning given to them in the Glossary to these Classification Rules. 1.12 References to a 'sport' in these Classification Rules refer to both a sport and an individual discipline within a sport. 1.13 The Appendices to these Classification Rules are part of these Classification Rules
81. Risk Identification, page 29 82. Risk Indicator*, page 30 83. Risk Management Ω, pages 30 84. Risk Management Alternatives Development, page 30 85. Risk Management Cycle, page 30 86. Risk Management Methodology Ω, page 30 87. Risk Management Plan, page 30 88. Risk Management Strategy, pages 31 89. Risk
1.5 Tactical Risk Decisions and Crisis Management 16 1.5.1 Risk preparation 17 1.5.2 Risk discovery 17 1.5.3 Risk recovery 18 1.6 Strategic Risk Mitigation 19 1.6.1 The value-maximizing level of risk mitigation (risk-neutral) 19 1.6.2 Strategic risk-return trade-o s for risk-averse managers 20 1.6.3 P
pengantar anatomi dan fisiologi ami rachmi 15 juli 2011 doc.ami.prodi tw.2011. peraturan 1. toleransi waktu 10 menit 2. hp vibrasi 3. tidak makan dan minum 4. pakaian rapih, sopan, tidak memakai sandal 5. bila tidak hadir memberitahu langsung dosen, surat doc.ami.prodi tw.2011. anatomi berasal dari bahasa latin yaitu, * ana : bagian, memisahkan * tomi (tomie) : iris/ potong anatomi adalah ilmu .
