Information Security Risk Assessment Procedures (ISRAP)
The Information Security Risk Assessment Procedures (ISRAP) provides the details for completing the annual IT risk assessment process which the university Chief Information Security Officer (CISO) is responsible for, per Texas A&M System Regulation (29.01.03 Information Security).
The Risk and Compliance team (under IT Security and Risk) manages the procedures and process on behalf of the CISO.
Timeline
The process covers for the calendar year (January - December) and not the university’s fiscal year (September - August).
Process
The process has three phases. The time it takes to complete each phase will vary for each college and division.
Phase 1: Inventory Management/Resource Identification and Grouping
-
Identify all information resources in respective unit (college, division, department, institute, etc.)
-
Group information resources into logical groups based on like security profiles
Phase 2: Assessment and Review
-
Answer questions related to university IT security requirements
-
Review assessment results
-
Respond to findings (areas of non-compliance)
Phase 3: Reporting
-
Generate reports
-
Submit reports for review and signature