In recent years, higher education institutions have recognized the importance of developing and implementing strategies to manage information risk. Proper information risk management now translates into confidentiality, integrity, and availability. A risk management program establishes procedures that will allow organizations to identify, plan and implement mitigation strategies and enable them to effectively address the increasing number of vulnerabilities that may present in their information assets. Failure to manage information risk can lead to undesirable consequences, including financial losses, reputation damage and loss of confidence. An organization that does not integrate information risk assessment and mitigation into its management processes could find it increasingly difficult to achieve its mission and strategic objectives. To assist organizations in implementing a systematic process to identify, prioritize and address areas of information risk, EDUCAUSE has developed a scalable Risk Management Framework. We hope organizations will find this resource valuable in addressing their information security needs.