Risk Assessment Overview

Texas A&M System Regulation (29.01.03 Information Security) requires the Chief Information Security Officer (CISO) of Texas A&M University (TAMU) to ensure IT annual risk assessments are performed and documented for all TAMU information resources. The Division of Information Technology (Division of IT) facilitates risk management activities to meet those requirements.

IT risk management activities include university-wide measurement of information technology assets' contribution to the likelihood of mission impairment, making recommendations to the CIO to manage or mitigate risks, as well as efforts to educate and assist colleges and divisions in IT risk assessments and information security awareness. IT risk assessments are determined by compliance with the Texas A&M Information Security Controls Catalog.

The Division of IT will be working in collaboration with college and division IT staff to ensure the IT risk assessments are effective and accurate. This will be done through communication, training, and guidance.

How information resources are assessed will be determined by who manages them.

  • Unit IT staff will assess the information resources that are solely and partially managed by the unit IT department.
  • Individual staff and faculty not classified as an IT professional (see definition below) who solely manage their own information resources (e.g., faculty managed server) and/or have administrative rights (e.g., local administrator privileges), will be required to perform an information resource risk assessment.

The dean or vice president (or their designee) must annually review and approve the list of non-IT professionals.

IT professionals should not solely assess information resources that they do not exclusively manage. It is the responsibility of the information resource owner to ensure the appropriate IT risk assessment has been performed on the information resource. The Division of IT recommends that unit IT staff assist their staff and faculty in managing their information resources to ensure those resources are in compliance with university requirements (e.g., SAPs, security controls) and unit IT policies. Non-IT professionals who need assistance should contact their unit IT staff.

Assessment Approvals

The revised Standard Administrative Procedure (SAP) 29.01.03.M0.01 - Security of Electronic Information Resources, requires the dean or vice president for the college or division to formally approve all college/division information security assessment reports. The approval process starts after the college or division has completed all IT risk assessments.

The college/division information security assessment report will include the results from the risk assessments, remediation plans, and risk management decisions. The CISO will review the information security assessment report and then provide notes in the executive summary of decisions or actions that may deserve additional consideration by the college or division. The executive summary and information security assessment report must be reviewed and approved by the respective dean or vice president.

The formal acceptance by the respective dean or vice president signifies the accuracy and completeness of the assessment results, as well as their support of indicated remediation plans (including any budgetary considerations) and risk management decisions.

Timeline

Each calendar year, all required procedures and due dates will be announced. College and division IT staff should develop a schedule to meet the due dates.

Process

The Division of IT uses a three-phased approach to assist the college and division personnel in completing all IT risk assessments. The time it takes to complete the three phases of the process will vary for each college and division.

Phase 1: Inventory Management/Resource Identification and Grouping

  • Identify all information resources in respective unit (college/division/department)
  • Group information resources into logical groups based on like security profiles

Phase 2: Assessment and Review

  • Answer questions related to university IT requirements
  • Review assessment results
  • Respond to findings (areas of non-compliance)

Phase 3: Reporting

  • Generate reports
  • Submit reports for review and signature