RA-3 Risk Assessment
Description
Information security risk assessments are vital for maintaining the security of information resources and meeting legal requirements for protecting confidential information. The goal of these procedures is to assist information resource owners in managing the risks involved with university data information resources, and with meeting Federal, State and University requirements.
Applicability
- This Control applies to all information security risk assessments that are conducted annually for university information resources.
- The intended audience includes all University personnel involved in performing, assisting with, approving, or making risk management decisions related to information security risk assessments
Implementation
-
1 - An information security risk assessment shall be performed and documented for all university information resources.
-
1.1 - Risk assessment shall be performed annually, or sooner when there are significant changes to the information resource.
-
1.2 - The assessments shall be completed using the Information Security Risk Assessment Procedures published by the Texas A&M Chief Information Security Officer (CISO).
Related Resource
-
-
2 - The Office of the CISO shall review the Information Security Risk Assessment Procedures (ISRAP) annually to ensure the effectiveness and efficiency of the risk assessment process.
-
2.1 - The review process shall include, where appropriate: integration, documentation, review, and dissemination of the assessment results to appropriate stakeholders.
-
2.2 - Detailed guidelines can be found at the ISRAP website.
Related Resource
-
-
3 - Annual risk assessments shall consider risks to supply chains associated with university information resources.