RA-3 Risk Assessment

Description

Clearly defined authorization boundaries are a prerequisite for effective risk assessments.

Risk assessments take into account threats, vulnerabilities, likelihood, and impact to organizational operations and assets, individuals, other organizations, and the nation based on the operation and use of information systems.

Risk assessments also take into account risk from external parties (e.g., service providers, contractors operating information systems on behalf of the organization, individuals accessing organizational information systems, outsourcing entities).

In accordance with OMB policy and related E-authentication initiatives, authentication of public users accessing federal information systems may also be required to protect nonpublic or privacy-related information. As such, organizational assessments of risk also address public access to federal information systems.

Risk assessments (either formal or informal) can be conducted at all three tiers in the risk management hierarchy (i.e., organization level, mission/business process level, or information system level) and at any phase in the system development life cycle. Risk assessments can also be conducted at various steps in the Risk Management Framework, including categorization, security control selection, security control implementation, security control assessment, information system authorization, and security control monitoring.

RA-3 is noteworthy in that the control must be partially implemented prior to the implementation of other controls in order to complete the first two steps in the Risk Management Framework.

Risk assessments can play an important role in security control selection processes, particularly during the application of tailoring guidance, which includes security control supplementation.

Applicability

This Control applies to all information security risk assessments that are conducted annually for university information resources.

The intended audience includes all University personnel involved in performing, assisting with, approving, or making risk management decisions related to information security risk assessments

Implementation

TAMU-CC:

1. Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits. A risk assessment of information resources shall be performed and documented. The risk assessment shall be updated based on the inherent risk. The inherent risk and frequency of the risk assessment will be ranked, at a minimum, as either “High,” “Moderate,” or “Low.”;
2. Documents risk assessment results in annual report to the University President/CEO. Risk assessment results, vulnerability reports, and similar information shall be documented and presented to the state organization head or his or her designated representative(s). The state organization head or his or her designated representative(s) shall make the final risk management decisions to either accept exposures or protect the data according to its value/sensitivity. The state organization head or his or her designated representative(s) shall approve the security risk management plan. This information may be exempt from disclosure under Texas Government Code, 2054.077: Vulnerability Reports [TGC 2054.077(c)];
3. Reviews risk assessment results annually;
4. Disseminates risk assessment results to Chief Information Officer (CIO) and the University President/CEO; and
5. Updates the risk assessment annually or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the system.

Revision History

Last Updated: February 21, 2025

Previous Versions:

• June 29, 2023
• May 31, 2022
• March 25, 2021
• September 16, 2019