Risk Assessment Overview

Texas Administrative Code Rule §202.71(b)(6) requires the Chief Information Security Officer (CISO) of Texas A&M University (TAMU) to ensure annual information security risk assessments are performed and documented for all TAMU information resources. The Division of Information Technology (IT) Risk Management and Policy Team facilitates the risk management activities to meet those requirements.

IT risk management activities include university-wide measurement of information technology assets' contribution to the likelihood of mission impairment, making recommendations to the CIO to manage or mitigate risks, as well as efforts to educate and assist colleges and divisions in IT risk assessments and information security awareness. IT risk assessments are determined by compliance with the Texas A&M Information Security Controls Catalog.

The Division of IT will be working in collaboration with college and division personnel (eg. unit IT staff, non-IT staff, faculty, ect.) to ensure the IT risk assessments are effective and accurate. This will be done through communication, training, and guidance.

How information resources are assessed will be determined by who manages them. Unit IT staff will assess the information resources that are solely and partially managed by the unit IT department. Individual staff and faculty not classified as an IT professional (see definition below) who solely manage their own information resources (e.g. faculty managed server) and/or have administrative rights (e.g. local administrator privileges), will be required to perform an information resource risk assessment using a google form. The dean or vice president (or their designee) must review and approve the list of non-IT professional assessors annually.

IT professional - A staff or faculty member whose primary duties are to manage information system or directly support, in the technical sense, personnel who manage information resources (e.g. Database Administrator, Systems Analyst, Web Developer, IT Manager, etc.)

IT professionals should not solely assess information resources that they do not exclusively manage. It is the responsibility of the information resource owner to ensure the appropriate IT risk assessment has been performed on the information resource. The Division of IT recommends that unit IT staff assist their staff and faculty in managing their information resources to ensure those resources are in compliance with university SAPs, university security controls, and IT unit policies. Non-IT professionals who need assistance, should contact their unit IT staff. If the unit IT staff is unable to assist, visit the help page for information regarding assistance offered through the Division of IT.

Assessment Approvals

The revised Standard Administrative Procedure (SAP) 29.01.03.M0.01, Security of Electronic Information Resources, requires the dean or vice president for the college or division in which the unit resides, formally approve all college/division information security assessment reports. The approval process starts after the college or division has completed all IT risk assessments.

Once complete, the risk assessments, remediation plans and risk management decisions will be put into the college/division information security assessment report and then reviewed by the CISO. The CISO will make note in the executive summary of decisions or actions that may deserve additional consideration by the college or division. The executive summary, as well as the assessment results, remediation plans, and risk management decisions must be reviewed and approved by the respective dean or vice president.

The formal acceptance by the respective dean or vice president signifies the accuracy and completeness of the assessment results, as well as their support of indicated remediation plans (including any budgetary considerations) and risk management decisions.

See the Dean/VP Approval Process.

Timeline

Starting in FY 2017, there will be no specific risk assessment reporting season. Each fiscal year, all required procedures will be announced, and due dates will typically coincide with the end of the spring semester. College and division IT staff should develop a schedule to meet the due date.

The Division of IT will help the college and division personnel focus on using a phased approach to complete all risk assessments. The time it takes to complete the four phases of the process will vary for each college and division.

Phase 1: Inventory Management/Resource Identification

  • Identify all information resources in respective unit (college/division/department)
  • Ensure compliance with TAC 202 requirements

Phase 2: Grouping

  • Group information resources into logical groups that have like security profiles

Phase 3: Assessment and Review

  • Answer technical questions
  • Review assessment results

Phase 4: Reporting

  • Finalize assessment results
  • Generate reports
  • Submit reports for review and signatures

Risk Assessment Tool

The risk assessment process currently uses SPECTRIM, a web-based tool provided by the State of Texas, to record information resources managed by a unit’s dedicated IT staff and compute their risk. Assessments are consolidated to provide the university’s IT risk posture, which is used as input for mitigation and resource allocation.