Summary

The Annual IT risk assessment process for the university relies on support from a matrixed organization. It starts with each college, division, school, and branch campus identifying at least one Division Risk Assessment Coordinators (D-RAC), with a maximum of two, for each respective unit. The D-RAC(s) are responsible for working with the Division of Information Technology (IT) and coordinating the efforts of their respective unit. The Division of IT will provide guidance and training to ensure units can complete the process on time. The Division of IT will also review assessments and compile reports for the Chief Information Security Officer (CISO) and the Chief Information Officer (CIO). The dean or VP will be responsible for formally approving the results of the college/division information security assessment (report) and any associated unit risk management plans for his/her respective unit.

Roles and Responsibilities

Organization Level (Texas A&M University)

CISO

The Chief Information Security Officer (CISO) is designated by the president of Texas A&M University and is ultimately responsible for the security of information resources for the university.

Responsibilities

  • Texas Administrative Code Rule §202.71

      • Rule §202.71(b)(6)&(7): Ensures that annual information security risk assessments are performed and documented for all Texas A&M University information resources

      • Rule §202.71(b)(11): Reporting, at least annually, to the Texas A&M University head the status and effectiveness of security controls

  • Designate the Risk Assessment Coordinator (RAC) for Texas A&M University

  • Provide guidance on all matters pertaining to IT risk management activities

  • Review all risk assessments and related risk management decisions

  • Report to CIO and university president (see Dean/VP Approval Process for documentation submitted)

View CISO Tasks on the Assessment Checklist

Division of IT - IT Risk Management and Policy Team

Facilitates the university IT risk management activities on behalf of the CISO to meet state requirements. This is accomplished by ensuring the colleges and divisions use a phased approach to complete all risk assessments. The time it takes to complete the four phases of the process will vary for each college and division.

Responsibilities

  • Act as the “Security Office” SPECTRIM role

  • Fill the role of the RAC for Texas A&M University

  • Serve as the Division Risk Assessment Coordinator (D-RAC) for Division of IT

  • Liaison with Department of Information Resources (DIR) for all university related SPECTRIM issues

  • Provide guidance and training to Texas A&M University personnel

  • Review all assessments and responses to the generated findings

  • Ensure the college and division information security assessment reports are created and signed by the deans and VPs.

A detailed breakdown of responsibilities by assessment phase is available on the Assessment Checklist.

View IT Risk Management and Policy Team Tasks on the Assessment Checklist

Division Level (College, Division, School, or Branch Campus)

Dean/VP

The dean or vice president of a college or division plays a role in university annual IT risk assessments. According to the updated Standard Administrative Procedure 29.01.03.M0.01 - Security of Electronic Information Resources (07-18-2016):

“The Dean or Vice President for the division in which the unit resides shall formally approve the results of the information security assessment (report) and any associated unit risk management plans.”

Responsibilities

  • Formally approve the results of the information security assessment (report) and any associated unit risk management plans. This process will be done outside of SPECTRIM with coordination between the respective D-RAC(s) and the Division of IT (see Dean/VP Approval Process for details).

  • *Formally approve staff and faculty members in his/her college or division who are non-IT professionals, but will be taking on the role of an Assessor in order to complete one or more IT risk assessments.

           * - or designee 

Division Risk Assessment Coordinator (D-RAC)

A D-RAC is a liaison between his/her college or division and the Division of IT for the annual IT risk assessment process. The college or division will be responsible for choosing their D-RACs. Each college and division may have an appropriate number of D-RACs, depending on size and scope. A D-RAC is typically an upper-level IT professional who has a deep understanding of the IT resources used by the college or division. D-RACs are responsible for ensuring the assessment process is followed by all units who manage information resources within their college or division, and ensuring all information resources are assessed. This is especially important in a college or division that is decentralized.

Responsibilities

Overall Process:

    • Liaison to Texas A&M IT
    • Monitor progress throughout all phases
    • Assist the dean or VP with his/her responsibilities

A more complete explanation of responsibilities and links to Knowledge Base documentation are available on the D-RAC page and the Assessment Checklist.


SPECTRIM Account privileges:

  • Can create and edit any Risk Assessable Units (RAU), components (i.e. Application, Location, Network), and assessment records in his/her unit.

  • Can answer the assessment questions and respond to findings in any assessment in his/her unit.

  • Can monitor the progress of all RAUs and assessments in his/her unit.

Note: Most D-RACs will only need to use SPECTRIM to create and launch assessment records.

Assessor

The Assessor is a unit IT staff member who will answer the assessment questions, and then respond to Findings generated from the assessment results. This person should have IT expertise in specified areas and have detailed knowledge of the information resources they will assess.

Staff and faculty will be split into two groups (i.e. IT professionals and non-IT professionals) when it comes to IT risk assessments. Staff and faculty are split because non-IT professionals are not allowed to do an IT risk assessment unless they have been formally approved by their respective dean or VP.

Responsibilities - A detailed explanation of responsibilities is available on the Assessment Checklist.


SPECTRIM Account privileges:

  • Can view RAU, components (i.e Application, Location, Network), and assessment records in his/her unit.

  • Can answer the assessment questions and respond to generated findings to assigned assessments.

Note:  Most assessors will not be required to log in to SPECTRIM, but all assessors will have an account in SPECTRIM so that their information is in the system.

Reviewer

The Reviewer is another unit IT staff member who reviews an assessment to ensure accuracy. The Reviewer role is generally a secondary role for a D-RAC and/or Assessor. An individual cannot hold the Assessor and Reviewer roles for the same assessment. A Reviewer should have knowledge on the information resources that will be reviewed.

Responsibilities - A detailed explanation of responsibilities is available on the Assessment Checklist.


SPECTRIM Account privileges:

  • Can view RAU, components (i.e Application, Location, Network), and assessment records in his/her unit.

  • Can access the assigned assessments to review the assessment and generated findings.

Note: Most Reviewers will not be required to log in to SPECTRIM, but all Reviewers will have an account in SPECTRIM so that their information is in the system.

Non-IT Professionals

Staff and faculty members who are not considered IT professionals, but are required to perform an information resource survey based on their level of responsibility for an information resource.

Levels of responsibility:

  • Solely responsible for managing the information resource(s) being assessed (e.g. faculty managed server, faculty managed workstation)
  • Partially responsible for managing the information resource being assessed because they have administrative rights (e.g. local administrator privileges)

Note: Non-IT staff and faculty are not required to use SPECTRIM. Instead, they will complete an end user survey through a Google form.