Assessment Types

The IT risk assessment process consists of four assessment types. Two of the assessment types (Application and Network) are straight from SPECTRIM. The other two assessment types (Location and Unit Policy) are based off questions related to the Information Security Controls Catalog.

 

1. Application

Groupings of information resources (e.g. workstations, laptops, mobile devices, servers, NAS, SAN, hypervisors, software applications, etc.) that do not fall into either the Network or the Location components. The information resources within an Application should have a similar security profile.

Application Assessment - required for all IT managed information resources, including resources fully and partially managed by an IT Professional. View Application Assessment Template.

2. Location (Facilities)

A location can be a building and/or room within a building. If a data center happens to be in a building that is used for other purposes (e.g. Teague data center), then the data center and the building will be considered different locations in SPECTRIM.

Location Assessment – required for all rooms (e.g. server closet, server room, unit data center, etc.) that house servers managed by unit IT staff. View Location Assessment Template.

3. Network

Networking equipment and related resources (switches, routers, hubs, etc.) that make up a physical network.

If a unit manages a physical network separate from the College Station campus network, that unit must create a Network in SPECTRIM. For the majority of units at the College Station campus, simply linking to the campus network (TAMU Network-711-) in SPECTRIM is sufficient.

Network Assessment – required if a unit manages a physical network separate from the College Station campus network. View Network Assessment Template.

NOT required in the following situations if a unit:

    1. Only utilizes the College Station campus network (TAMU Network-711-) for public networking. The Division of IT assesses the College Station campus network.

    2. Manages address space (e.g. Infoblox, NIM, DHCP) on the College Station campus network.

    3. Runs patch cables between information resources and College Station campus networking equipment.

    4. Operates an independent physical or virtual (e.g. software networking, VLANs, etc.) network for private communication between information resources. These networks are to be considered part of an Application representing the information resources connected.

 

4. Unit Policy

New for FY18. Questions cover controls not included in the SPECTRIM application assessments which are relevant at the unit level, but not necessarily specific to individual information resources.

Unit Policy Assessment – required by each IT unit once annually. View Unit Policy Assessment Template.