Annual IT Risk Assessments

Texas A&M University relies heavily on IT resources to support its mission of teaching, research, and service. Protecting these information resources is essential. The Annual IT Risk Assessment is a systematic process the university undertakes each year which helps ensure that security measures are effective, resources are protected, compliance obligations are met, and risks are managed to a level acceptable to the university. The documented results and finding responses provide a roadmap for continuous improvement in our security posture. This process is mandated by state law (Texas Administrative Code Chapter 202) and Texas A&M System regulations.

The primary goals of the annual IT risk assessment process are to:

• Identify Risks: Discover threats and vulnerabilities that could impact university IT resources.
• Evaluate Impact: Understand the potential consequences if confidentiality, integrity, or availability of information or systems were compromised.
• Ensure Compliance: Verify that university IT resources comply with the appropriate IT security requirements (security controls, Standard Administrative Procedures).
• Prioritize Resources: Help university leadership and IT staff make informed decisions about where to focus security efforts and resources.
• Manage Risk: Develop plans to mitigate identified risks to an acceptable level through improved controls, processes, or other measures.

The annual IT risk assessment process is a collaborative effort involving units across the university, facilitated by Texas A&M Technology Services. The process follows the Information Security Risk Assessment Procedures (ISRAP) which includes ensuring IT resources are accounted for in an IT inventory review.

Successfully completing the IT risk assessment process requires clear roles and shared responsibility. From university leadership to individuals directly responsible for managing the information resources, each employee has a role to play in the annual risk assessment process.