Skip to main content

Phase 2: Information Resource Assessment and Review

IT risk assessments will be completed on the information resources identified during Phase 1. The frequency of when assessments are required depends on certain attributes of the information resources.

IT Security & Risk uses OneTrust as our IT risk assessment tool. IT leadership identifies those who will participate in the IT risk assessment process during Phase 1. Those who are required to participate will have the role of assessor and/or reviewer.

Who is responsible

The risk assessment coordinator (RAC) who will coordinate the completion of this phase for their unit (e.g., department, college, school, division). For most units, information resources are managed by the unit IT staff. In some cases, information resources are also managed by non-IT staff and/or faculty. The RACs should work with the local IT staff and non-IT staff or faculty.

Additional information about the IT risk assessment process roles can be found here.

How Phase 2 is completed

OneTrust is the name of the tool that is used to complete the assessments.

Additional information about OneTrust can be found here.

Frequency of assessments

For the most part, the university will follow the TAMU System Regulation 29.01.03 Information Security about the assessments this year. All information resources will be assessed in OneTrust by the end of 2025 which will allow us to better follow their frequency.

Excerpt from the regulation:

i. annually, for high-impact information resources;

ii. biennially, for other information systems containing confidential data, and

iii. triennially, for all remaining information systems;

For 2025:

  1. Information resources that have never been assessed:
    1. New information resources - usually includes resources purchased and/or put in production after the 2024 IT risk assessment process.
    2. Information resources that have been in production but were missed/not included in the previous year.
  2. Information resources listed in the 2024 IT risk assessment process:
    1. Based on provided guidance in 2024, was listed but not assessed since there were no significant changes since being assessed in 2023.
    2. Information resources with an impact level of High.
    3. Information resources where a new group/team is now responsible for managing since the 2024 IT risk assessment process.
    4. At the CISO discretion.

Answer choices and questions that still apply for 2025 will be carried over from the 2024 completed assessment. The assessor(s) will need to answer the new questions and update any questions where the answer has changed (e.g., remediated a Risk/finding)

Assessment Questions

Questions asked in the risk assessment are related to university IT security requirements (Security Controls Catalog, Standard Administrative Procedures (SAP))
There are a few questions that are not related to existing university requirements.

  • Prepare for future requirements
  • Gather information
  • Related to industry best practices