DRAC Tasks

    • Step #
    • Task
    • Overall Responsible
    • Personnel
  • Pre-Assessment
    • Step 1
    • College/Division assigns D-RACs
    • College, Division
    • IT Staff, Dean/VP
  • Phase 1: Inventory Management/Resource Identification
    • Step 2
    • All information resources identified and inventory up-to-date
    • D-RAC
    • IT Staff, Staff & Faculty
    • optional
    • Compare unit inventory list to CANOPY/FAMIS list
    • D-RAC
    • IT Staff, Staff & Faculty
  • Phase 2: Grouping
    • Step 3
    • Split information resources into two groups:
      a. Managed by unit IT staff
      b. Managed by non-IT professionals (staff & faculty)
    • D-RAC
    • IT Staff, Staff & Faculty
    • Step 4
    • Group the information resources that are managed by unit IT staff
    • D-RAC
    • IT Staff
    • Step 5
    • Decide who will be assessors and reviewers of the information resources that are managed by unit IT staff
    • D-RAC
    • IT Staff
    • Step 6
    • Assessors attend training; reviewer role is usually a secondary role * Required for new assessors & optional for returning assessors
    • D-RAC
    • IT Staff
    • Step 7
    • Have SPECTRIM accounts created for new assessors and reviewers
    • IT-RMP
    • D-RAC, IT Staff
    • Step 8
    • Create the Risk Assessable Unit(s) (RAUs) by filling out the import template
    • D-RAC
    •  
    • Step 9
    • Create Components (i.e. Applications, Locations, Networks) by filling out the import template
    • D-RAC
    •  
    • Step 10
    • Send completed import template to ra@tamu.edu
    • D-RAC
    •  
    • Step 11
    • Review and submit the import template to Department of Information Resources (DIR) for upload into SPECTRIM
    • IT-RMP
    •  
  • Phase 3: Assessment and Review
    • Step 12
    • Assign assessors and reviewers to the specific assessments. Each assessor should be given the assessment spreadsheet that they will fill out.
    • D-RAC
    •  
    • Step 13
    • Create and launch assessments in SPECTRIM
    • D-RAC
    •  
    • Step 14
    • In the assessment spreadsheet, complete the assessment and respond to the findings that will be generated based on how the questions were answered
    • Assessor
    • D-RAC, IT Staff
    • Step 15
    • Notify the reviewer that the assessment spreadsheet is completed and ready for review
    • Assessor
    • D-RAC, IT Staff
    • Step 16
    • Review the assessment and finding responses
    • Reviewer
    • D-RAC, Assessor
    • Step 17
    • Approve/reject the assessment and/or the finding responses
    • Reviewer
    • D-RAC, Assessor
    • optional
    • If the assessment is rejected, discuss any issue(s) about the assessment and/or finding responses with the assessor
    • Reviewer
    • Assessor, Reviewer
    • optional
    • Finding responses dealing with resources (budget, personnel, equipment, etc.) could be taken to the dean/VP to ensure there will be no surprises at the end of the process
    • D-RAC
    • D-RAC, Dean/VP
    • Step 18
    • Notify IT-RMP once the assessment and finding responses have been approved
    • Reviewer
    • IT-RMP, Reviewer
    • Step 19
    • Review the assessment and finding responses
    • IT-RMP
    •  
    • Step 20
    • Approve/reject the assessment and/or the finding responses
    • IT-RMP
    •  
    • optional
    • If the assessment is rejected, discuss any issue(s) about the assessment and/or finding responses with the assessor
    • IT-RMP
    • Assessor, Reviewer
  • Phase 4: Reporting
    • Step 21
    • Submit data to DIR for upload through the use of import templates
    • IT-RMP
    •  
    • Step 22
    • Notify IT-RMP once all college/division assessments are completed and approved (questions answered and responded to findings)
    • D-RAC
    •  

DRAC Tasks

    • Step #
    • Task
    • Overall Responsible
    • Personnel
    • Step 1
    • All information resources identified and inventory up-to-date
    • Senior IT staff
    • IT Staff, Staff & Faculty
    • optional
    • Compare unit inventory list to CANOPY/FAMIS list
    • Senior IT Staff
    • IT Staff, Faculty
    • Step 2
    • Split information resources into two groups:
      a. Managed by unit IT staff
      b. Managed by non-IT professionals (staff & faculty)
    • Senior IT Staff
    • IT Staff, Staff & Faculty
    • Step 3
    • Identify staff and faculty who solely manage their information resources and/or who have local administrative privileges
    • Senior IT Staff
    • Staff & Faculty
    • Step 4
    • Send list of non-IT professionals to Dean/VP (or designee) for approval
    • Senior IT Staff
    • Dean/VP (or designee)
    • optional
    • Attend training
    • Staff and Faculty
    • IT Staff
    • Step 5
    • Send the appropriate end user survey link (Google form) to non-IT professionals
    • Senior IT Staff
    • Staff & Faculty
    • Step 6
    • Fill out the appropriate end user survey
    • Staff & faculty
    • IT Staff
    • optional
    • Assist as needed
    • Staff & faculty
    • IT Staff, IT-RMP
    • Step 7
    • Submit the end user survey
    • Staff & faculty
    • IT Staff
    • Step 8
    • Submit all survey results to appropriate college/division
    • Division of IT
    • IT Staff
    • Step 9
    • Begin the Dean/VP Approval Process
    • Division of IT
    • CISO, Senior IT Staff, Dean/VP

The approval process for the deans and Vice Presidents to sign off on the annual information security assessments requires coordination between the Division of IT and the Division Risk Assessment Coordinator (D-RAC) from the college or division.

    • Step #
    • Task
    • Personnel
    • Step 1
    • Respond to all findings (i.e. corrective action, risk management decision)
    • Assessor
    • Step 2
    • Notify the Division of IT that all risk assessments and related findings are complete
    • Division Risk Assessment Coordinator
    • Step 3
    • Create a college/division executive summary which includes:
      1. Decisions or actions that the CISO thinks may deserve additional consideration
      2. Aggregate data for the college/division
      3. Dean/VP signature page
    • Division of IT
    • Step 4
    • Prepare college/division information security assessment report (which includes PDFs of all risk assessments in the college/division)
    • Division of IT
    • Step 5
    • Send documentation (i.e. college/division executive summary, college/division information security assessment report) to the D-RAC
    • Division of IT
    • Step 6
    • Submit documentation to the dean/VP for signature
    • Division Risk Assessment Coordinator
    • Step 7
    • Review and approve college/division executive summary
    • Dean or VP
    • Step 8
    • Submit signed dean/VP signature page to Division of IT
    • Division Risk Assessment Coordinator
    • Step 9
    • Create university executive summary which includes:
      1. Decisions or actions the CISO thinks may deserve additional consideration.
      2. Aggregate data for the university
      3. CISO Signature Page
    • Division of IT
    • Step 10
    • Review and approve university executive summary
    • Chief Information Security Officer (CISO)
    • Step 11
    • Submit university executive summary to the CIO & President
    • Chief Information Security Officer (CISO)
Back to Top