Description
Applicability
-
This Control applies to all information security risk assessments that are conducted annually for university information resources.
-
The intended audience includes all University personnel involved in performing, assisting with, approving, or making risk management decisions related to information security risk assessments
Implementation
-
1
An information security risk assessment shall be performed and documented for all university information resources.
-
1.1
Risk assessment shall be performed annually, or sooner when there are significant changes to the information resource.
-
1.2
The assessments shall be completed using the Information Security Risk Assessment Procedures published by the Texas A&M Chief Information Security Officer (CISO).
-
1.1
-
2
The Office of the CISO shall review the Information Security Risk Assessment Procedures (ISRAP) annually to ensure the effectiveness and efficiency of the risk assessment process.
-
2.1
The review process shall include, where appropriate: integration, documentation, review, and dissemination of the assessment results to appropriate stakeholders.
-
2.2
Detailed guidelines can be found at the ISRAP website.
-
2.1
-
3
Annual risk assessments shall consider risks to supply chains associated with university information resources.