Summary

The annual IT risk assessment process for the university relies on support from a matrixed organization. It starts with each college, division, school, and branch campus identifying one Division Risk Assessment Coordinators (D-RAC), for each respective unit. The D-RAC is responsible for working with the Division of Information Technology (IT) and coordinating the efforts of their respective unit on behalf of their dean/VP. This includes coordinating efforts of the unit IT staff as well as individuals that are not considered IT professionals but solely or partially manages information resources.

The Division of IT will provide structure, guidance, and training to ensure units can complete the process. The Division of IT will also review results and compile reports for the Chief Information Security Officer (CISO) and the Chief Information Officer (CIO). The dean or VP will be responsible for formally approving the results of the college/division information security assessment (report) and any associated unit risk management plans for his/her respective unit.Key individuals in the Texas A&M University organization work together to facilitate risk assessments, including the C.I.S.O., Deans and Vice Presidents, and Division Risk Assessment Coordinators.

University Level

CIO

TAC §202.70 assigns responsibility for protection of information resources to the President of the University. For the purposes of this rule, the authority and responsibility regarding the university's compliance with TAC 202 has been delegated by the President to the Vice President for Information Technology & Chief Information Officer (CIO) in TAMU SAP 29.01.03.M0.01 - Security of Electronic Information Resources.

CISO

The Chief Information Security Officer (CISO) is designated by the President of the Universityand is ultimately responsible for the security of information resources for the university.

Responsibilities

  • Texas Administrative Code Rule §202.71
    • Rule §202.71(b)(6)&(7): Ensures that annual information security risk assessments are performed and documented for all Texas A&M University information resources
    • Rule §202.71(b)(11): Reporting, at least annually, to the Texas A&M University head the status and effectiveness of security controls
  •  
  • Provide guidance on all matters pertaining to IT risk management activities
  • Review IT risk assessments and related risk management decisions
  • Report to CIO and university president (see Dean/VP Approval Process for documentation submitted)

Link to CISO responsibilities: https://it.tamu.edu/policy/it-risk-management/risk-assessment-roles/ciso.php

Division of IT - IT Risk Management and Policy Team

Facilitates the university IT risk management activities on behalf of the CISO to meet state requirements. This is accomplished by ensuring the colleges and divisions use a phased approach to complete all risk assessments. The time it takes to complete the three phases of the process will vary for each college and division.

A detailed breakdown of responsibilities by assessment phase is available on the Assessment Checklist.

Division Level (College, Division, School, or Branch Campus)

Facilitates the university IT risk management activities on behalf of the CISO to meet state requirements. This is accomplished by ensuring the colleges and divisions have the required information (e.g., guidance, process approach), resources (e.g., tools, documents, etc,) and assistance necessary to complete the IT risk assessment process.

Responsibilities

A detailed breakdown of responsibilities by assessment phase is available on the Assessment Checklist.

Dean/VP

The dean or vice president of a college or division plays a role in the university annual IT risk assessment process. According to the Standard Administrative Procedure 29.01.03.M0.01 - Security of Electronic Information Resources (October 25, 2019):

“The Dean or Vice President for the division in which the unit resides shall formally approve the results of the information security assessment (report) and any associated unit risk management plans.”

Responsibilities

  • Formally approve the results of the information security assessment (report) and any associated unit risk management plans. This process will be done with coordination between the respective D-RAC(s) and the Division of IT (see Dean/VP Approval Process for details).
  • *Formally approve all staff and faculty members in the college or division who are non-IT professionals, but still manage (partially or solely) information resources.

Division Risk Assessment Coordinator (D-RAC)

A D-RAC is the main liaison between his/her college or division and the Division of IT for the annual IT risk assessment process. The college or division will be responsible for choosing their D-RAC. A D-RAC is typically an upper-level IT professional who has a deep understanding of the information resources used by the college or division. The D-RAC will be responsible for coordinating efforts concerning the IT risk assessment process for the college or division, acting on behalf of the dean or VP. This includes ensuring the assessment process is followed by all units who manage information resources within their college or division, and ensuring all information resources are properly assessed. This is especially important in a college or division that is decentralized (has multiple independent IT departments).

Responsibilities

Overall Process:

  • Liaison to the Division of IT
  • Monitor progress throughout all phases
  • Assist the dean or VP with his/her responsibilities

A more complete explanation of responsibilities available on the IT Managed Assessment Checklist.

Assessor

The Assessor is a unit IT staff member who will answer the assessment questions, and then respond to findings generated from the assessment results. This person should have IT expertise in specified areas and have detailed knowledge of the information resources they assess.

Responsibilities

A detailed explanation of responsibilities is available on the IT Managed Assessment Checklist.

Reviewer

The reviewer is another unit IT staff member who reviews the assessment results and finding responses provided by the assessor to ensure accuracy. A reviewer should have knowledge on the information resources that will be reviewed. The reviewer role is generally a secondary role for a D-RAC, RAC, and/or assessor.

An individual cannot hold the assessor and reviewer roles for the same assessment. 

Responsibilities

A detailed explanation of responsibilities is available on the IT Managed Assessment Checklist.

Risk Assessment Coordinator (RAC)

A RAC assists the D-RAC in completing the annual IT risk assessment process. The D-RAC will be responsible for choosing their RACs as required. Each college and division may have an appropriate number of RACs, depending on size and scope. A RAC is typically an upper-level IT professional who has a deep understanding of the information resources used by the college or division, usually at the department level. RACs are responsible for ensuring the assessment process is followed by the department, and ensuring all information resources are assessed. Responsibilities

Overall Process:

  • Assist the D-RAC with his/her responsibilities
  • Monitor progress throughout all phases
A more complete explanation of responsibilities is available on the IT Managed Assessment Checklist.

Non-IT Professionals

Staff and faculty members who are not considered IT professionals, but are required to complete IT risk assessments based on their level of responsibility for managing an information resource.

Levels of responsibility:

  • Solely responsible for managing the information resource(s) being assessed (e.g., faculty managed server, faculty managed workstation)
  • Partially responsible for managing the information resource being assessed because they have administrative rights (e.g., local administrator privileges)

Responsibilities

A detailed explanation of responsibilities is available on the Non-IT Pro page.