RA-3: Risk Assessment

NIST Baseline: Low 

Privacy Baseline:  Yes 

DIR Required By:  07/20/2023 

Review Date:  07/31/2024 

  • Texas A&M University System (TAMUS) Regulation 29.01.03, Information Security, requires an annual information security risk assessment that complies with Texas Administrative Code (TAC) §202.75.  
  • Information resource custodians must conduct a risk assessment for each High Impact Information Resource every year, for each Moderate Impact Information Resource every other year, for each Low Impact Information Resource every three years.  Each risk assessment shall include:  
    • Identifying threats to and vulnerabilities in the system;  
    • Determining the likelihood and magnitude of harm from unauthorized use, disclosure, disruption, modification, or destruction. Risks and impacts will be ranked, at a minimum, as either “High”, “Moderate,” or “Low.”  
  • The assessment results, vulnerability reports, and the inventory must be provided to the Tarleton State University (Tarleton) Chief Information Security Officer (CISO) for review as required by TAC §202.75 and TAMUS Regulation 29.01.03, Information Security.  
  • Approval of the security risk acceptance, transfer, or mitigation decisions are the responsibility of:  
    • The Tarleton CISO or their designee(s), in coordination with the information resource owner, for systems identified with Low or Moderate residual risk.  
    • The President/CEO or their designee for all systems identified with a High residual risk.  
  • Assessment results and risk decisions will be used as a basis for the Tarleton Information Security Program as required by TAC §202.74. See Control PL-2, System Security and Privacy Plans; Control PM-1, Information Security Program Plan; Control PM-4, Plan of Action and Milestone Process; Control PM-6, Measures of Performance; and Control PM-9, Risk Management Strategy.  
  • The schedule of the future risk assessments will be documented as required by TAC §202.75, in accordance with TAMUS Regulation 29.01.03, Information Security, currently the schedule is based on the information resource impact risk rating of “High,” “Moderate,” or “Low”: 
    • High Impact Information Resources will have a risk assessment conducted every year; 
    • Moderate Impact Information Resources (maintaining confidential information) will have a risk assessment conducted every other year; and 
    • Low Impact Information Resources (other applicable information resources) will have a risk assessment conducted every three years.   
  • Information security risk assessments may be excepted from disclosure under Texas Government Code §2054.077(c) or Texas Government Code §552.139

References/Additional Resources

OMB A-130 

SP 800-30 

SP 800-39 

SP 800-161 

IR 8023 

IR 8062 

IR 8272 

1 TAC § 202.25  

1 TAC § 202.27  

1 TAC § 202.75  

1 TAC § 202.77