Risk Assessment and Mitigation

1. GENERAL Risk assessments are vital procedures for maintaining continuity of university operations, the security of information resources, and meeting the legal requirements for protecting confidential information. The purpose and goal of these assessments can only be achieved if the assessments are conducted effectively. The purpose of this university procedure is to implement a monitoring process which adequately provides management with assurance that the information on which risk assessment assertions are made is correct. The goal of these procedures is to assist Texas A&M University-Corpus Christi departments with improving the value and accuracy of their risk assessments and the effectiveness of their use of the Information Security Awareness, Assessment and Compliance (ISAAC) system. 2. APPLICABILITY This university procedure applies to all information resources that are attached to the university network. The intended audience includes all university personnel involved in performing, approving, or making risk management decisions related to information security risk assessments. 3. DEFINITIONS Please refer to University Procedure 29.01.03.C2.01 Definitions. 4. PROCEDURES 4.1. Deans, division managers, and department heads shall not limit risk assessments to the risks associated with information resources. (1) Deans, division managers, and department heads shall regularly assess risks related to any area that might adversely affect the university (e.g. safety of personnel, management of sensitive information, training, business continuity, disaster recovery, etc). (2) Deans, division managers, and department heads are responsible for monitoring the mitigation of all risks associated with the risk assessments for which they are responsible.