The annual risk assessment process is a campus-wide risk assessment of information resources. It was implemented in 2007 to meet both regulatory (Texas Administrative Code, Rule §202.72) and compliance requirements. The process is designed to be relatively simple to follow, although effort will be required to collect and provide the requested information.
2007 was the first time that this process was used on a large scale on campus. The Information Security Office has spent a considerable amount of time and effort, and relied heavily on TSC feedback to improve the process and supporting application. We would like to acknowledge the participation of a number of the university’s technical support community in the development of the ISORA application. Their testing and feedback have been invaluable.
The core component of this process is the Information Security Office Risk Assessment (ISORA) Web application, which is designed to collect, analyze, and report on campus information resources risk data. Collecting this data requires campus-wide participation. Technical Support Coordinators (TSCs) are the core group who are responsible for providing information, and, if necessary, delegating the responsibility for providing information. Departmental heads are responsible for acknowledging the results once the TSCs and other delegates have completed their surveys.
Because this process is new, it is understood that a large portion of the work involved is determining what categories of data each system interacts with. To offset the work required for classification, the ISO is limiting the number of questions that must be answered in the third part of the process significantly. Only departmental questions specifically required by state laws, federal laws or university rules will be asked during this round of ISORA. This will allow the campus community to become familiar with the application, as well as providing basic system information that will provide the foundation for future rounds of assessment. In subsequent risk assessments, much of the data provided will be reused, so systems that still have the same profile will only need to be reviewed and acknowledged.
The risk assessment process and ISORA application were developed by the Information Security Office specifically for the university community. There are several advantages to having developed this in house. First and foremost, it allows the university to retain control of the assessment process. Another benefit of in-house development is that the process and application can — and have — been tailored to meet the unique needs of the university community. One example of this is the integration of information from the ISO's IoTron registration service. By doing this, a tremendous amount of effort is saved in the complexity of delegation. In-house development also means that we have full access to all the data, and that we can build reports as needed. There are already several basic reports, and more can be developed as demand warrants.