Summary

The annual IT risk assessment process for the university relies on support from a matrixed organization. It starts with each college, division, school, and branch campus identifying one Division Risk Assessment Coordinators (D-RAC), for each respective unit. The D-RAC is responsible for working with the Division of Information Technology (IT) and coordinating the efforts of their respective unit. This includes coordinating efforts of the unit IT staff as well as individuals are not considered IT professionals but solely or partially manages information resources.

The Division of IT will provide guidance and training to ensure units can complete the process on time. The Division of IT will also review assessments and compile reports for the Chief Information Security Officer (CISO) and the Chief Information Officer (CIO). The dean or VP will be responsible for formally approving the results of the college/division information security assessment (report) and any associated unit risk management plans for his/her respective unit.

Key individuals in the Texas A&M University organization work together to facilitate risk assessments, including the C.I.S.O., Deans and Vice Presidents, and Division Risk Assessment Coordinators.

Organization Level (Texas A&M University)

CISO

The Chief Information Security Officer (CISO) is designated by the president of Texas A&M University and is ultimately responsible for the security of information resources for the university.

Division of IT - IT Risk Management and Policy Team

Facilitates the university IT risk management activities on behalf of the CISO to meet state requirements. This is accomplished by ensuring the colleges and divisions use a phased approach to complete all risk assessments. The time it takes to complete the three phases of the process will vary for each college and division.

A detailed breakdown of responsibilities by assessment phase is available on the Assessment Checklist.

Division Level (College, Division, School, or Branch Campus)

Dean/VP

The dean or vice president of a college or division plays a role in university annual IT risk assessments. According to the updated Standard Administrative Procedure 29.01.03.M0.01 - Security of Electronic Information Resources (07-18-2016):

“The Dean or Vice President for the division in which the unit resides shall formally approve the results of the information security assessment (report) and any associated unit risk management plans.”

Division Risk Assessment Coordinator (D-RAC)

A D-RAC is a liaison between his/her college or division and the Division of IT for the annual IT risk assessment process. The college or division will be responsible for choosing their D-RACs. Each college and division may have an appropriate number of D-RACs, depending on size and scope. A D-RAC is typically an upper-level IT professional who has a deep understanding of the IT resources used by the college or division. D-RACs are responsible for ensuring the assessment process is followed by all units who manage information resources within their college or division, and ensuring all information resources are assessed. This is especially important in a college or division that is decentralized.

Assessor

The Assessor is a unit IT staff member who will answer the assessment questions, and then respond to Findings generated from the assessment results. This person should have IT expertise in specified areas and have detailed knowledge of the information resources they will assess.

Staff and faculty will be split into two groups (i.e. IT professionals and non-IT professionals) when it comes to IT risk assessments. Staff and faculty are split because non-IT professionals are not allowed to do an IT risk assessment unless they have been formally approved by their respective dean or VP.

Reviewer

The Reviewer is another unit IT staff member who reviews an assessment to ensure accuracy. The Reviewer role is generally a secondary role for a D-RAC and/or Assessor. An individual cannot hold the Assessor and Reviewer roles for the same assessment. A Reviewer should have knowledge on the information resources that will be reviewed.

Non-IT Professionals

Staff and faculty members who are not considered IT professionals, but are required to perform an information resource survey based on their level of responsibility for an information resource.

Levels of responsibility:

  • Solely responsible for managing the information resource(s) being assessed (e.g. faculty managed server, faculty managed workstation)
  • Partially responsible for managing the information resource being assessed because they have administrative rights (e.g. local administrator privileges)

Note: Non-IT staff and faculty will complete an end user survey through a Google form.