This Control applies to the university Chief Information Security Officer (CISO) who has the authority to administer the information security functions for the entire institution and is responsible for assessing and reporting to the President the status and effectiveness of security controls under Texas Administrative Code (TAC) §202.76(c). This Control is distinct from the unit security risk assessments described in RA-3 Risk Assessment.

The Chief Information Security Officer shall develop a security assessment plan that describes the scope of the assessment including:

• 1.1

  university security controls under assessment;

• 1.2

  assessment procedures to be used to determine security control effectiveness; and

• 1.3

  assessment environment, assessment team, and assessment roles and responsibilities.

The security assessment will:

• 2.1

  review the university security controls and the environment of operation to determine the extent to which the controls are implemented correctly, operate as intended, and produce the desired outcome with respect to meeting the university’s security requirements;

• 2.2

  be performed by individual(s) independent of the Office of the Chief Information Security Officer; and

• 2.3

  be performed at least biennially.

The results of the security assessment shall be reported to the President or designated representative.