{"id":1753,"date":"2024-08-06T17:38:28","date_gmt":"2024-08-06T17:38:28","guid":{"rendered":"https:\/\/www.tarleton.edu\/security-controls-catalog\/?page_id=1753"},"modified":"2024-09-06T19:16:35","modified_gmt":"2024-09-06T19:16:35","slug":"ra-1-risk-assessment-policy-and-procedures","status":"publish","type":"page","link":"https:\/\/www.tarleton.edu\/security-controls-catalog\/risk-assessment-ra\/ra-1-risk-assessment-policy-and-procedures\/","title":{"rendered":"RA-1: Risk Assessment \u2013 Policy and Procedures"},"content":{"rendered":"\n<h1 class=\"wp-block-heading has-large-font-size\">RA-1: Risk Assessment \u2013 Policy and Procedures<\/h1>\n\n\n\n<div style=\"height:20px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" style=\"font-size:16px\"><strong>NIST Baseline: <\/strong>Low&nbsp;<\/h2>\n\n\n\n<h2 class=\"wp-block-heading\" style=\"font-size:16px\"><strong>Privacy Baseline: &nbsp;<\/strong>Yes&nbsp;<\/h2>\n\n\n\n<h2 class=\"wp-block-heading\" style=\"font-size:16px\"><strong>DIR Required By:<\/strong> &nbsp;07\/20\/2023&nbsp;<\/h2>\n\n\n\n<h2 class=\"wp-block-heading\" style=\"font-size:16px\"><strong>Review Date: \u00a0<\/strong>07\/31\/2024\u00a0<\/h2>\n\n\n\n<hr class=\"wp-block-separator alignfull has-text-color has-tarleton-purple-color has-alpha-channel-opacity has-tarleton-purple-background-color has-background is-style-wide\"\/>\n\n\n\n<h3 class=\"wp-block-heading has-medium-font-size\"><strong>Purpose &#8211;<\/strong>&nbsp;<\/h3>\n\n\n\n<p>The Risk Assessment Policy and associated controls describe the requirements for identifying, analyzing, and managing information security risks associated with Tarleton State University (Tarleton) information and information resources. &nbsp;<\/p>\n\n\n\n<hr class=\"wp-block-separator alignfull has-text-color has-tarleton-purple-color has-alpha-channel-opacity has-tarleton-purple-background-color has-background is-style-wide\"\/>\n\n\n\n<h3 class=\"wp-block-heading has-medium-font-size\"><strong>Scope and Roles &#8211;<\/strong>&nbsp;<\/h3>\n\n\n\n<p>This policy applies to information resources owned or managed by Tarleton.&nbsp;The intended audience includes all involved in hiring and personnel management, the Tarleton Chief Information Officer (CIO), Chief Information Security Officer (CISO), and information resource owners and custodians.&nbsp;<\/p>\n\n\n\n<hr class=\"wp-block-separator alignfull has-text-color has-tarleton-purple-color has-alpha-channel-opacity has-tarleton-purple-background-color has-background is-style-wide\"\/>\n\n\n\n<h3 class=\"wp-block-heading has-medium-font-size\"><strong>Compliance &#8211;<\/strong>&nbsp;<\/h3>\n\n\n\n<p>Risk Assessment controls are implemented to ensure compliance with Title 1 Texas Administrative Code (TAC) <a href=\"https:\/\/texreg.sos.state.tx.us\/public\/readtac$ext.TacPage?sl=R&amp;app=9&amp;p_dir=&amp;p_rloc=&amp;p_tloc=&amp;p_ploc=&amp;pg=1&amp;p_tac=&amp;ti=1&amp;pt=10&amp;ch=202&amp;rl=75\" target=\"_blank\" rel=\"noreferrer noopener\">\u00a7202.75<\/a>, <a href=\"https:\/\/texreg.sos.state.tx.us\/public\/readtac$ext.TacPage?sl=R&amp;app=9&amp;p_dir=&amp;p_rloc=&amp;p_tloc=&amp;p_ploc=&amp;pg=1&amp;p_tac=&amp;ti=1&amp;pt=10&amp;ch=202&amp;rl=74\" target=\"_blank\" rel=\"noreferrer noopener\">\u00a7202.74<\/a>, and the Texas Department of Information Resources (DIR) Security Control Standards Catalog as required by TAC <a href=\"https:\/\/texreg.sos.state.tx.us\/public\/readtac$ext.TacPage?sl=R&amp;app=9&amp;p_dir=&amp;p_rloc=&amp;p_tloc=&amp;p_ploc=&amp;pg=1&amp;p_tac=&amp;ti=1&amp;pt=10&amp;ch=202&amp;rl=76\" target=\"_blank\" rel=\"noreferrer noopener\">\u00a7202.76<\/a> and Texas A&amp;M University System (TAMUS) <a href=\"http:\/\/policies.tamus.edu\/29-01-03.pdf\" target=\"_blank\" rel=\"noreferrer noopener\">Regulation 29.01.03, Information Security<\/a>. &nbsp;<\/p>\n\n\n\n<hr class=\"wp-block-separator alignfull has-text-color has-tarleton-purple-color has-alpha-channel-opacity has-tarleton-purple-background-color has-background is-style-wide\"\/>\n\n\n\n<h3 class=\"wp-block-heading has-medium-font-size\"><strong>Implementation &#8211; <\/strong>&nbsp;<\/h3>\n\n\n\n<ul class=\"wp-block-list its-nested-list\">\n<li>The Tarleton CISO, in coordination with information resource owners and custodians, shall develop, document, and disseminate a set of controls that addresses the risk assessment for information resources. These controls should:&nbsp;\n<ul class=\"wp-block-list\">\n<li>Address purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and&nbsp;<\/li>\n\n\n\n<li>Be consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.&nbsp;<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Information resource owners and custodians are responsible for any procedures to facilitate the implementation of the Risk Assessment controls in order to ensure proper risk assessment and management;&nbsp;&nbsp;&nbsp;&nbsp;<\/li>\n\n\n\n<li>The Tarleton CISO, or their designee, shall review and update the Risk Assessment controls as necessary.&nbsp;<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator alignfull has-text-color has-tarleton-purple-color has-alpha-channel-opacity has-tarleton-purple-background-color has-background is-style-wide\"\/>\n\n\n\n<h3 class=\"wp-block-heading has-medium-font-size\"><strong>References\/Additional Resources<\/strong><\/h3>\n\n\n\n<p><a href=\"https:\/\/www.whitehouse.gov\/sites\/whitehouse.gov\/files\/omb\/circulars\/A130\/a130revised.pdf\" target=\"_blank\" rel=\"noreferrer noopener\">OMB A-130<\/a>&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/doi.org\/10.6028\/NIST.SP.800-12r1\" target=\"_blank\" rel=\"noreferrer noopener\">SP 800-12<\/a>&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/doi.org\/10.6028\/NIST.SP.800-30r1\" target=\"_blank\" rel=\"noreferrer noopener\">SP 800-30<\/a>&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/doi.org\/10.6028\/NIST.SP.800-39\" target=\"_blank\" rel=\"noreferrer noopener\">SP 800-39<\/a>&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/doi.org\/10.6028\/NIST.SP.800-100\" target=\"_blank\" rel=\"noreferrer noopener\">SP 800-100<\/a>&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/texreg.sos.state.tx.us\/public\/readtac$ext.TacPage?sl=R&amp;app=9&amp;p_dir=&amp;p_rloc=&amp;p_tloc=&amp;p_ploc=&amp;pg=1&amp;p_tac=&amp;ti=1&amp;pt=10&amp;ch=202&amp;rl=24#:~:text=%C2%A0%C2%A0(2)%20policies%2C%20controls%2C%20standards%2C%20and%20procedures%20that%3A\" target=\"_blank\" rel=\"noreferrer noopener\">1 TAC \u00a7 202.24 (a)(2)<\/a> &nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/texreg.sos.state.tx.us\/public\/readtac$ext.TacPage?sl=R&amp;app=9&amp;p_dir=&amp;p_rloc=&amp;p_tloc=&amp;p_ploc=&amp;pg=1&amp;p_tac=&amp;ti=1&amp;pt=10&amp;ch=202&amp;rl=74#:~:text=%C2%A0(2)%20policies%2C%20controls%2C%20standards%2C%20and%20procedures%20that%3A\" target=\"_blank\" rel=\"noreferrer noopener\">1 TAC \u00a7 202.74 (a)(2)<\/a>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>RA-1: Risk Assessment \u2013 Policy and Procedures NIST Baseline: Low&nbsp; Privacy Baseline: &nbsp;Yes&nbsp; DIR Required By: &nbsp;07\/20\/2023&nbsp; Review Date: \u00a007\/31\/2024\u00a0 Purpose &#8211;&nbsp; The Risk Assessment Policy and associated controls describe &#8230;<\/p>\n","protected":false},"author":1,"featured_media":580,"parent":1510,"menu_order":1,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_acf_changed":false,"inline_featured_image":false,"advgb_blocks_editor_width":"","advgb_blocks_columns_visual_guide":"","footnotes":""},"class_list":["post-1753","page","type-page","status-publish","has-post-thumbnail","hentry"],"acf":[],"coauthors":[],"author_meta":{"author_link":"https:\/\/www.tarleton.edu\/security-controls-catalog\/author\/brian-2-2-2-2-2-2-2-2-2-2-2-2-2-2-2-2-2-2-2-3\/","display_name":"brian"},"relative_dates":{"created":"Posted 2 years ago","modified":"Updated 2 years ago"},"absolute_dates":{"created":"Posted on August 6, 2024","modified":"Updated on September 6, 2024"},"absolute_dates_time":{"created":"Posted on August 6, 2024 5:38 pm","modified":"Updated on September 6, 2024 7:16 pm"},"featured_img_caption":"","featured_img":false,"series_order":"","_links":{"self":[{"href":"https:\/\/www.tarleton.edu\/security-controls-catalog\/wp-json\/wp\/v2\/pages\/1753","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.tarleton.edu\/security-controls-catalog\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/www.tarleton.edu\/security-controls-catalog\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/www.tarleton.edu\/security-controls-catalog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.tarleton.edu\/security-controls-catalog\/wp-json\/wp\/v2\/comments?post=1753"}],"version-history":[{"count":0,"href":"https:\/\/www.tarleton.edu\/security-controls-catalog\/wp-json\/wp\/v2\/pages\/1753\/revisions"}],"up":[{"embeddable":true,"href":"https:\/\/www.tarleton.edu\/security-controls-catalog\/wp-json\/wp\/v2\/pages\/1510"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.tarleton.edu\/security-controls-catalog\/wp-json\/"}],"wp:attachment":[{"href":"https:\/\/www.tarleton.edu\/security-controls-catalog\/wp-json\/wp\/v2\/media?parent=1753"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}