Risk Assessment Overview

Texas Administrative Code Rule §202.71(b)(6) requires the Chief Information Security Officer (CISO) of Texas A&M University (TAMU) to ensure annual information security risk assessments are performed and documented for all TAMU information resources. Texas A&M IT Risk Management and Policy Team facilitates the risk management activities to meet those requirements.

IT risk management activities include university-wide measurement of information technology assets' contribution to the likelihood of mission impairment, making recommendations to the CIO to manage or mitigate risks, as well as efforts to educate and assist colleges and divisions in IT risk assessments and information security awareness. IT risk assessments are determined by compliance with the Texas A&M Information Security Controls Catalog.

Texas A&M IT will be working in collaboration with college and division IT staff to ensure the IT risk assessments are effective and accurate. This will be done through communication, training, and guidance.

The revised Standard Administrative Procedure (SAP) 29.01.03.M0.01, Security of Electronic Information Resources, requires that the dean or Vice President for the division in which the unit resides to formally approve all information security assessment reports. Note that individual faculty or staff not classified as an IT professional (see definition below) may be allowed by their dean or Vice President to assess their own information resources if they maintain administrative rights and properly manage the resource. However, all assessments must be approved by the appropriate dean or Vice President.

IT professional - A staff or faculty member whose primary duties are to manage information system or directly support, in the technical sense, personnel who manage information resources (e.g. Database Administrator, Systems Analyst, Web Developer, IT Manager, etc.)

IT professionals should not assess information resources that they do not solely manage. It is the responsibility of the information resource owner to ensure a risk assessment has been performed on the information resource. Texas A&M IT recommends that unit IT staff should assist their staff and faculty in managing their information resources to ensure those resources are in compliance with university SAPs, university security controls, and IT unit policies.

Assessment Approvals

Once complete, the risk assessment, remediation plans and risk management decisions will be reviewed and approved by the respective dean or Vice President. The approved assessment results, remediation plans, and risk management decisions are sent to the university’s Chief Information Security Officer (CISO) for final review and formal completion of the annual assessment report.

The formal acceptance by the respective dean or Vice President signifies the accuracy and completeness of the assessment results, as well as their support of indicated remediation plans (including any budgetary considerations) and risk management decisions.

See the Dean/VP Approval Process.

Timeline

Starting in FY 2017, there will be no specific risk assessment reporting season. Each fiscal year, all required procedures will be due by the end of April. College and division IT staff should develop a schedule to meet the due date.

Texas A&M IT will help the college and division staff focus on using a phased approach to complete all risk assessments. The time it takes to complete the three phases of the process will vary for each college and division.

Phase 1: Inventory Management/Resource Identification

  • Identify all information resources in respective unit (college/division/department)

  • Ensure compliance with TAC 202 requirements

Phase 2: Grouping and Assessment

  • Group information resources into logical groups that have like security profiles

  • Answer technical questions (taken from the web-based tool) about the recently-created groups

Phase 3: Data Entry and Reporting

  • Enter data from previous phases into the web-based tool

  • Generate reports

Risk Assessment Tool

The risk assessment process currently uses SPECTRIM, a web-based tool provided by the State of Texas, to capture groupings of information resources and compute their risk. Assessments are consolidated to provide the university’s IT risk posture, which is used as input for mitigation and resource allocation.

Note: ISAAC was the web-based assessment tool retired at the end of the FY 2015 reporting season.