Risk Management Lifecycle

Security Assessments are conducted by the Information Security Office, usually before a product, application, or service is used to make sure it can be implemented securely. Risk Assessments are primarily completed by the owners and custodians of information resources on a recurring basis to make sure the resources are still secure and to compare their security posture to that of other resources.

Some products are offer a feature lineup similar to in-place services offered by IT, and where there’s redundancy, there isn’t much incremental benefit for the risk that comes with those duplicated services. In other cases, Texas State doesn’t have a business-to-business agreement with the service provider, so there’s neither contractual protection for the information that it may handle nor an ability for effective, enterprise-grade management, support, and oversight.

University policy, state laws that drive policy creation, and best practice all require that the Information Security Office assesses products prior to procurement or use. The same policies and practices require that the ISO facilitate ongoing risk assessments for the university's information systems so the risks posed by their use can be measured and mitigated as appropriate.

Yes, both Security Assessments and Risk Assessments are required by university-level policy.

Yes, both Security Assessments and Risk Assessments are required by university-level policy. Teams under the Office of Research and Sponsored Programs may also require additional procedures that involve the ISO to help ensure the goals of a grant or project can be met while protecting the information involved.

Even though the Information Security Office has conducted security assessments, it is possible that your product has not been brought to the attention of the ISO for assessment. Historic acquisitions may have been assessed under different criteria, or the way in which they were acquired may have prevented the ISO from learning about it until later.

The request form helps provide the ISO and other teams with accurate information about how you or your department use the software or service, including the types of data involved and how many users there will be.

If a request is particularly urgent, please let the ISO know. Some parts of the review can be expedited based on requesters’ timelines; however, some portions rely on vendors’ diligence and willingness to provide the information needed to conduct the assessment.

In most cases, yes, if for nothing else than product and risk inventory purposes. Free and/or open-source products often come with terms of use that could have negative consequences for the university. Unfortunately, even free products have the potential be the cause of a major incident.

Developed by members of EDUCAUSE, the HECVAT (short for “Higher Education Cloud Vendor Assessment Tool”) is a standardized self-assessment intended for vendors to complete for prospective, higher-education customers. The HECVAT is intended to provide the ISO nearly all the information needed to assess a vendor’s security posture to help ensure it’s an appropriate tool for the job and place for the data it will handle. More information about the HECVAT is available at https://educause.edu/hecvat. 

Just as different departments have different business processes, they may also use software and services differently from one another. Contextual information, including classification of data that will be stored, processed, and/or transmitted, can make a big difference in whether a product can be authorized and what risks it may pose. In other words, something authorized for handling small volumes of public information may not have a security posture commensurate to high volumes of confidential data. 

No, the ISO can begin a security assessment at any time in your selection process well ahead of a purchasing decision being made. If a department is still narrowing their field of options, the ISO would prefer to assess only the front-runners to prevent wasted time and efforts.

No, the ISO does not charge back for Security Assessments.

Go to the Beacon login page and use the "SAML Authentication" button to log on with your NetID and password via Single Sign-On (SSO). Beacon is only accessible from the campus network and the Remote Access VPN portal.

State administrative code (Texas Administrative Code 202.72.1.A.H and 202.75) requires that information resource owners participate in risk assessments of the resources for which they are responsible. The ISO helps facilitate this process through formalized Risk Assessments and the Security Assessment process, but the ISO cannot answer resource-specific questions on behalf of information resource owners.

Information resource owners are required to participate in the risk assessment process. Formal and informal (university-employed) information resource custodians may, however, assist with answering questions and providing background information. The ISO can also help provide clarification as necessary.

No, but Information Resource Owners and Custodians may contact relevant external parties on an as-needed basis to get answers to specific questions about the information security system being assessed. 

Please contact the ISO as soon as possible at InfoSecGRC@txstate.edu so documentation can be updated and the proper contact identified.

This answer depends on many factors, including the type and volume of information handled by your service, as well as the impact an incident related to it could have on the institution. Nonetheless, if you have been identified as a risk assessor, your participation is almost certainly required. 

Risk assessments must be completed by the stated end date to facilitate institutional reporting requirements. If you are concerned about being able to complete your assessment(s), please contact the ISO at InfoSecGRC@txstate.edu with information about exigent matters or extenuating circumstances. 

There are a few possible reasons. A formal Security Assessment may not have been previously conducted, or the risk presented by your product may have changed relative to other contemporary services.

The questionnaire sent to you via Beacon will accommodate the decommissioning of an information system. 

Information gathered by ongoing risk assessments are used by the ISO to gain a broad, quantifiable image of the security risks presented to the university and to address one-off findings as well as potential “hot spots” that may be common across the institution. Information about these security risks is also reported in varying detail to the university’s President, the Vice President of IT, and the rest of the president’s cabinet, along with the State’s Department of Information Resources.

Absolutely. Please contact InfoSecGRC@txstate.edu with your request.

In almost every case, yes. Please contact InfoSecGRC@txstate.edu with your request and more information about the assessable objects for which ongoing risk assessments should be scheduled.