Information security risk assessments are vital procedures for maintaining the security of information resources and meeting legal requirements for protecting confidential information. To comply with Texas Administrative Code, Title 1, Chapter 202 (TAC 202), Texas A&M University has established policies for annual risk assessment reporting and review.

Units having ownership or custodial responsibility for information resources shall annually assess their security posture and measure their compliance with TAC 202 with an approved risk assessment reporting process. Following this assessment, a security assessment report shall then be submitted to the Vice President for Information Technology & Chief Information Officer.

After the completion of the annual risk assessment reporting process, Risk Management and Policy personnel will review all security assessment reports. Based on this review, some assessments will be selected for additional review based on inherent risk or at the direction of the Vice President for Information Technology & Chief Information Officer (or designee).

After the completion of the annual risk assessment review process, Technology Services will compile the results of the reviews into an Information Security Risk Assessment Review Report. This report is submitted to the Chief Information Security Officer, and it may influence the university's IT Risk Management Plan.

• TAC 202 Security Control Standards Catalog - Risk Assessment Control Family
• TAC 202.71
• TAMU SAP 29.01.03.M0.01 Security of Electronic Information Resources
• TAMU Information Security Control RA-3 Risk Assessment