IT Risk Assessment Roles

The annual IT risk assessment process at Texas A&M University is a collaborative effort, essential for maintaining an IT security posture that supports the university's mission and meets state requirements. The success of the process depends on individuals and teams across the university fulfilling specific responsibilities. Understanding these roles helps ensure the process runs smoothly and effectively.

Dean / Vice President

• Responsible for formally approving the annual IT risk assessment process results for their college, school, or division per SAP 29.01.03.M0.01 Security of Electronic Information Resources. This includes the results of the institutes and centers that report to them.

Chief Information Officer (CIO) / Vice President for Information Technology

• Provides university-level executive oversight for information technology and IT risk management strategy.
• Receives summary reports on the university's overall IT risk posture based on the annual assessments.

Chief Information Security Officer (CISO)

• Administers the university's information security program as required by state regulations (TAC 202).
• Publishes the official Information Security Risk Assessment Procedures (ISRAP) used for the annual IT risk assessment process.
• Provides guidance on IT risk management activities and reviews assessment results.
• Approves or coordinates the approval for risk acceptance decisions, particularly for low or moderate residual risks. 
• Reports on the status and effectiveness of security controls to university leadership.

Technology Services (IT Risk Management & Policy Team)

• Facilitates the university-wide annual IT risk assessment process on behalf of the CISO.
• Provides structure, guidance, training, and tools to support units in completing the process.
• Compiles reports and summaries for leadership review.

Risk Assessment Coordinator (RAC)

Each unit has at least one risk assessment coordinator (RAC) which will be the IT Director within the college, school, or division. Additional RACs can be identified by the IT Director to support the various departments, institutes, and centers under the college, school, or division.

• Acts as the liaison between their unit and the Technology Services IT Risk Management & Policy team.
• Oversees the IT risk assessment process within their unit, ensuring those who are required to participate have what they need to complete their portion of the process on time.
• Assists the Dean/VP in reviewing and approving the results.

Individuals across campus that have the state defined roles listed below play a part in the annual IT risk assessment process whether they realize it or not. The RAC(s) for their unit will assist them throughout the process.

Information Resource Owner

A person responsible for a business function and for determining controls and access to information resources supporting that business function.

Responsibilities per SAP 29.01.03.M0.01 Security of Electronic Information Resources:

• Responsible for assigning a designee if needed who will take on the assigned responsibilities.
• Responsible for ensuring that adequate IT security requirements (SAPs, and security controls) are in place on their information resources based on the categorization placed of the university data stored, processed, and/or transmitted. This includes any applicable federal and contractual requirements.
• Responsible for ensuring their information resource(s) are included in the annual IT risk assessment process.

Information Resource Custodian

A person responsible for implementing owner-defined controls and access to an information resource. Custodians may include university employees, vendors, and any third party acting as an agent of – or otherwise on behalf of – the university and/or the owner.

• Responsible for ensuring that adequate IT security requirements (SAPs, and security controls) are in place on the information resources they are custodians for based on the categorization placed of the university data stored, processed, and/or transmitted. This includes any applicable federal and contractual requirements.
• Responsible for assisting in the annual IT risk assessment process.