RA-1: Risk Assessment – Policy and Procedures
NIST Baseline: Low
Privacy Baseline: Yes
DIR Required By: 07/20/2023
Review Date: 07/31/2024
Purpose –
The Risk Assessment Policy and associated controls describe the requirements for identifying, analyzing, and managing information security risks associated with Tarleton State University (Tarleton) information and information resources.
Scope and Roles –
This policy applies to information resources owned or managed by Tarleton. The intended audience includes all involved in hiring and personnel management, the Tarleton Chief Information Officer (CIO), Chief Information Security Officer (CISO), and information resource owners and custodians.
Compliance –
Risk Assessment controls are implemented to ensure compliance with Title 1 Texas Administrative Code (TAC) §202.75, §202.74, and the Texas Department of Information Resources (DIR) Security Control Standards Catalog as required by TAC §202.76 and Texas A&M University System (TAMUS) Regulation 29.01.03, Information Security.
Implementation –
- The Tarleton CISO, in coordination with information resource owners and custodians, shall develop, document, and disseminate a set of controls that addresses the risk assessment for information resources. These controls should:
- Address purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
- Be consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.
- Information resource owners and custodians are responsible for any procedures to facilitate the implementation of the Risk Assessment controls in order to ensure proper risk assessment and management;
- The Tarleton CISO, or their designee, shall review and update the Risk Assessment controls as necessary.