Risk Management Lifecycle


The Information Security Office facilitates formal, ongoing risk assessments for software, services, and other high-value information resources that need a regular security check-up. Service Evaluations and Risk Assessments help assess, document, and manage security risks posed to university information resources. Each serve a different purpose in the risk management lifecycle.

Service Evaluations

Service Evaluations are conducted by the ISO before things like systems, services, and software are set up and put into use. The ISO reviews information about how a service will be used, what data it will handle, how it can protect that information, and what risks it may present to the university. If necessary, the service is also flagged for annual or biennial, recurring risk assessments. The ISO then creates a data security plan to help ensure the service can be used safely.

Risk Assessments

Risk Assessments are a separate process from service evaluations. They are required for high-value and high-risk services, systems, locations, networks, and workstations to quantify risks they present to the university and to ensure compliance with good practice. Unlike service evaluations, risk assessments must be completed annually or biennially (depending on the risk presented by the service) by the information resource owners and custodians outside of the ISO.

Expand All Content

Information Security Glossary

The information security glossary is a searchable and filterable glossary of terms and definitions we use in all aspects of our work. Familiarize yourself with this terminology to deepen your understanding of information security at Texas State University.