Risk Assessment

The institution shall periodically (at least once a year) assess the risk to institutional operations (including mission, functions, image, or reputation), institutional assets, and individuals resulting from the operation of institutional systems and the associated processing, storage, or transmission.