Phase 1
Phase 1: Inventory Management/Resource Identification and Grouping
Knowing and understanding the information resources (IR) in your IT environment is important which is why it is under the first phase. The results that come out of the next two phases build off the foundation of this phase.
Information Resources: the procedures, computer equipment, computing facilities, software and data which are purchased, designed, built, operated and maintained to collect, record, process, store, retrieve, display, report and transmit information.
Who is responsible
The risk assessment coordinator (RAC) who will coordinate the completion of this phase for their unit (e.g., department, college, school, division). For most units, information resources are managed by the unit IT staff. In some cases, information resources are also managed by non-IT staff and/or faculty. The RACs should work with the local IT staff and non-IT staff or faculty.
Additional information about the IT risk assessment process roles can be found here.
How Phase 1 is completed
Phase 1 is completed with the use of spreadsheets. The spreadsheets will be stored in a TAMU Google Shared Drive. Personnel required to participate in the process will have access to the appropriate file level of the shared drive by using their TAMU Google account. Personal Google accounts will not be used to provide access. Users may be asked to claim their TAMU Google account in order to gain access.
There are multiple spreadsheets provided to help organize the required information for Phase 1. The spreadsheet(s) used will depend on the IT environment for the unit.
The risk assessment inventory list (RAIL) spreadsheet is the main spreadsheet that is required to be filled out. The purpose of the RAIL spreadsheet is to allow units to list and appropriately group their information resources so they can then accurately assess the information resources while reducing the number of assessments that will need to be completed.
The RAIL spreadsheet:
- Has the guidance on grouping the information resources.
- Is pre-populated with the information from the previous year as a starting point. It is on the unit to update the information.
- Has the information that will be imported in the eGRC tool used to complete the IT risk assessments in Phase 2.
Information from Axonius should be used to help with the quantities for end-user devices and servers.
Grouping
The IT risk assessment process uses grouping of information resources at two levels.
The first level is based on splitting information resources out by type which are defined by the IT Risk and Compliance team. The second level is based on how the information resources of the same type are managed. The local IT staff decide how they group their information resources as long as they follow the basic guidance provided by the IT Risk and Compliance team. Guidance is provided by information resource type on how and when it is appropriate to group information resources.
The goal of grouping information resources is to help reduce the number of assessments that have to be completed in Phase 2 while still ensuring the resources are accurately assessed.
Information Resource Types
Information resources are not all the same. Certain features, characteristics, and use cases impact how and if certain IT security requirements (e.g., security controls, Standard Administrative Procedures (SAPs)) can be implemented.
| IR Type | IR Description | Examples |
|---|---|---|
| Appliances | A computing device (physical or virtual) that provides predefined services, and that has its underlying operating software and packages/services hidden beneath an application-specific interface. | A storage appliance, video-streaming appliance, etc. |
| Applications | Networked applications/services that are used for university business and/or store or process university data. It does not matter whether or not the application/service is paid for. This should include hosted applications/services as well as third-party hosted/cloud service models (PaaS, IaaS, SaaS). The "2024 Applications-Services Guidance.pdf" document (link in cell L3) has additional information on what applications/services should be included. | Active Directory, SharePoint, in-house developed applications, content management systems (e.g., Cascade, WordPress), SaaS business applications, etc. |
| Databases | Databases that are used for university business and/or store or process university data. In most cases, focus on the Databases Management Systems (DBMS). | MS SQL, MySQL, Oracle, PostgreSQL, MariaDB, NoSQL, DB2, etc. |
| End-User Devices | A personal computer (desktop or laptop) or consumer device (e.g., personal digital assistant [PDA], smart phone) used primarily by a single end user for daily work. - from NIST Special Publication 800-111. | Desktops, laptops, tablets, smartphones, etc. |
| Misc. Equipment | Networked equipment that processes and/or stores data, but does not fall within one of the other information resource types. | Internet of Things (IoT) devices, multi-function printers, VoIP phones, networked video/security cameras, network-attached sensors, a computer that is associated with research/lab equipment, etc. |
| Networks | A network that has access to the internet. | Campus network, etc. |
| Network Equipment | Also called network hardware or network devices. Physical or virtual devices which are required for communication and connectivity between devices on a network. Networking equipment performs a specific function or role in a network and its segments like traffic control, connectivity, and segmentation. | Switches, routers, firewalls (physical or virtual), appliances (physical or virtual) that perform network related functions, etc. |
| Servers | A machine or software (computer program) that provides data or functionality for other programs or devices on a network. | Linux servers, virtual Windows servers, hypervisors/hosts, NAS, containers, SANs, a desktop that provides other users technical services, etc. |
| Server Rooms | Any room that houses IT equipment (other than end-user devices and/or network equipment) for the unit. This includes rooms that are not owned or directly managed by the unit. This does not include rooms that only have networking equipment (network and/or switching closets) or enterpise data centers (West Campus Data Center, Main Campus Data Center) that your group is not responsible for managing. | Server closet, server room, University Enterprise Data Center, Vendor managed server room, rooms with broadcasting equipment, etc. |
Grouping examples:
- A group of 100 laptops with Windows 11 that are on Active Directory with the same GPOs and are updated through Intune. Allows you to do one assessment to cover the 100 laptops instead of doing 100 assessments.
- Five internally developed applications are created and use the same SDLC and are managed in similar fashion by the same development team.