Information Security Risk Assessment Procedures
Texas Administrative Code Rule §202.71(b)(6) requires the Chief Information Security Officer (CISO) of Texas A&M University (TAMU) to ensure that annual information security risk assessments are performed and documented for all TAMU information resources. Texas A&M IT Risk Management and Policy Team facilitates the risk management activities to meet those requirements.
Risk management activities include university-wide measurement of information technology assets' contribution to the likelihood of mission impairment; recommendations to the CIO to manage or mitigate risks; as well as efforts to educate and assist colleges and divisions in IT risk assessments and information security awareness. IT risk assessments are determined by compliance with the Texas A&M Information Security Controls Catalog.
Texas A&M IT will be working in a collaborative effort with college and division IT staff to ensure the IT risk assessments are effective and accurate. This will be done through communication, training, and guidance.
The revised Standard Administrative Procedure (SAP) 29.01.03.M0.01, Security of Electronic Information Resources, requires that the Dean or Vice President for the division in which the unit resides to formally approve all information security assessment reports. Note that individual faculty or staff that are not classified as information technology personnel may be allowed by their Dean or Vice President to assess their own information resources if they maintain administrative rights and properly manage the resource. However, all assessments must be approved by the appropriate Dean or Vice President.
Once complete, the risk assessment, remediation plans and risk management decisions will be reviewed and approved by the respective Dean or Vice President. The approved assessment results, remediation plans, and risk management decisions are sent to the university’s Chief Information Security Officer (CISO) for final review and formal completion of the annual assessment report.
The formal acceptance by the respective Dean or Vice President signifies the accuracy and completeness of the assessment results, as well as their support of indicated remediation plans (including any budgetary considerations) and risk management decisions.
See the Dean/VP Approval Process.
Starting in FY 2017, there will be no specific risk assessment reporting season. Each fiscal year, all required procedures will be due by the end of April. College and division IT staff should develop a schedule to meet the due date.
FY 2017 Timeline
April 28, 2017 is the date Texas A&M IT will use for required risk management reporting purposes. All units should have their risk assessment reports approved by their Dean or VP by this date to have their unit accounted for in FY 2017 reporting.
Texas A&M IT will help the college and division staff focus on using a phased approach to complete all risk assessments. The time it takes to complete the three phases of the process will vary for each college and division.
Phase 1: Inventory Management/Resource Identification
- Identify all information resources in respective unit (college/division/department)
- Ensure compliance with TAC 202 requirements
Phase 2: Grouping and Assessment
- Group information resources into logical groups that have like security profiles
- Answer technical questions (taken from the web based tool) about the recently created groups
Phase 3: Data Entry and Reporting
- Enter data from previous phases into the web based tool
- Generate reports
Risk Assessment Tool
The risk assessment process currently uses a web based tool provided by the State of Texas, SPECTRIM, to capture groupings of information resources and compute their risk. Assessments are consolidated to provide the university’s IT risk posture which is used as input for mitigation and resource allocation.
Note: ISAAC was the web based assessment tool that was retired at the end of the FY 2015 reporting season.