Summary

The Annual IT risk assessment process for the university relies on support from a matrixed organization. It starts with each college, division, school, and branch campus identifying at least one Division Risk Assessment Coordinator (D-RAC), with a maximum of two, for each respective unit. The D-RAC(s) are responsible for working with Texas A&M Information Technology (IT) and coordinating the efforts of Assessors and Reviewers for their respective unit. Texas A&M IT will provide guidance and training to ensure units can complete the process on time. Texas A&M IT will also review assessments and compile reports for the Chief Information Security Officer (CISO) and the Chief Information Officer (CIO). The dean or VP will be responsible for formally approving the results of the information security assessment (report) and any associated unit risk management plans for his/her respective unit.

Roles and Responsibilities

Organization Level (Texas A&M University)

CISO

The Chief Information Security Officer (CISO) is designated by the president of Texas A&M University and is ultimately responsible for the security of information resources for the university.

Responsibilities

  • Texas Administrative Code Rule §202.71

      • Rule §202.71(b)(6)&(7): Ensures that annual information security risk assessments are performed and documented for all Texas A&M University information resources

      • Rule §202.71(b)(11): Reporting, at least annually, to the Texas A&M University head the status and effectiveness of security controls

  • Designate the Risk Assessment Coordinator (RAC) for Texas A&M University

  • Provide guidance on all matters pertaining to IT risk management activities

  • Review all risk assessments and related risk management decisions

  • Report to CIO and university president (see Dean/VP Approval Process for documentation submitted)

View CISO Tasks on the Assessment Checklist

Texas A&M IT - IT Risk Management and Policy Team

Facilitates the university IT risk management activities on behalf of the CISO to meet state requirements. This is accomplished by ensuring the colleges and divisions use a phased approach to complete all risk assessments. The time it takes to complete the three phases of the process will vary for each college and division.

Responsibilities

  • Act as the “Security Office” SPECTRIM role

  • Fill the role of the RAC for Texas A&M University

  • Serve as the Division Risk Assessment Coordinator (D-RAC) for Texas A&M IT

  • Liaison with Department of Information Resources (DIR) for all university related SPECTRIM issues

  • Provide guidance and training to Texas A&M University SPECTRIM users

  • Review all assessments and responses to the generated findings

  • Ensure the college and division risk assessment reports that will be signed by the deans and VPs are created.

A detailed breakdown of responsibilities by assessment phase is available on the Assessment Checklist.

View IT Risk Management and Policy Team Tasks on the Assessment Checklist

Division Level (College, Division, School, or Branch Campus)

Dean/VP

The dean or vice president of a college or division now play a role in university annual IT risk assessments starting in FY 2017. According to the updated Standard Administrative Procedure 29.01.03.M0.01 - Security of Electronic Information Resources (07-18-2016):

“The Dean or Vice President for the division in which the unit resides shall formally approve the results of the information security assessment (report) and any associated unit risk management plans.”

Responsibilities

  • Formally approve the results of the information security assessment (report) and any associated unit risk management plans. This process will be done outside of SPECTRIM with coordination between the respective D-RAC(s) and Texas A&M IT (see Dean/VP Approval Process for details).

  • Formally approve staff and faculty members in his/her college or division who are non-IT professionals but will be taking on the role of an Assessor in order to complete one or more IT risk assessments.

View Dean/VP Tasks on the Assessment Checklist

Division Risk Assessment Coordinator (D-RAC)

A D-RAC is a liaison between his/her college or division and Texas A&M IT concerning the annual IT risk assessment process. The college or division will be responsible for choosing the D-RACs. Each college and division may have an appropriate number of D-RACs, depending on size and scope. A D-RAC is typically an upper-level IT professional who has a deep understanding of the IT resources used by the college or division. D-RACs are responsible for ensuring the assessment process is followed by all units who manage information resources within their college or division, and ensuring all information resources are assessed. This is especially important in a college or division that is decentralized,

Responsibilities

Overall Process:

    • Liaison to Texas A&M IT
    • Monitor progress throughout all phases
    • Assist the dean or VP with his/her responsibilities

A more complete explanation of responsibilities and links to Knowledge Base documentation are available on the D-RAC page and the Assessment Checklist.


SPECTRIM Account privileges:

  • Can create and edit any Risk Assessable Units (RAU), components (i.e. Application, Location, Network), and assessment records in his/her Division.

  • Can answer the assessment questions and respond to findings in any assessment in his/her Division.

  • Can monitor the progress of all RAUs and assessments in his/her Division.

View D-RAC Tasks on the Assessment Checklist

Assessor

The Assessor is a staff or faculty member who will answer the assessment questions and then be responsible for responding to Findings generated from the assessment results. This person should have IT expertise in specified area(s) and have detailed knowledge of the information resources they will assess.

Staff and faculty will be split into two groups (i.e. IT professionals and non-IT professionals) when it comes to IT risk assessments. Staff and faculty are split because non-IT professionals are not allowed to do an IT risk assessment unless they have been formally approved by their respective dean or VP.

Responsibilities - A detailed explanation of responsibilities is available on the Assessment Checklist.


SPECTRIM Account privileges:

  • Can view RAU, components (i.e Application, Location, Network), and assessment records in his/her Division.

  • Can answer the assessment questions and respond to generated findings to assigned assessments.

View Assessor Tasks on the Assessment Checklist

Reviewer

The Reviewer will be another person who reviews an assessment to ensure accuracy. The Reviewer role is generally a secondary role for a D-RAC and/or Assessor. An individual cannot hold the Assessor and Reviewer roles for the same assessment. A Reviewer should have knowledge on the information resources that will be reviewed.

Responsibilities - A detailed explanation of responsibilities is available on the Assessment Checklist.


SPECTRIM Account privileges:

  • Can view RAU, components (i.e Application, Location, Network), and assessment records in his/her Division.

  • Can access the assigned assessments to review the assessment and generated findings.

View Reviewer Tasks on the Assessment Checklist