A good and fast information system is supported by good information technology. To achieve its business goals, optimal and integrated information technology will support good quality services. The XYZ University Information System (UIS) provides a variety of information needed by students, lecturers, and all staff. But the system that is running is still experiencing problems in its use that can pose various risks. To prevent that, a risk assessment is carried out on the UIS to identify various possible risks and prevent them by forming a risk management. This research will be conducted using NIST 800-30. This standard is used with the aim of anticipating risks so that the organization does not experience losses. The preparation of UIS information security risk management carried out in this study has succeeded in identifying 32 risk scenarios, prioritizing risks, providing direction in managing risks and accepting processes whether risks are acceptable or should be mitigated.