{"id":1761,"date":"2024-08-06T17:54:23","date_gmt":"2024-08-06T17:54:23","guid":{"rendered":"https:\/\/www.tarleton.edu\/security-controls-catalog\/?page_id=1761"},"modified":"2025-05-06T19:35:27","modified_gmt":"2025-05-06T19:35:27","slug":"ra-3-risk-assessment","status":"publish","type":"page","link":"https:\/\/www.tarleton.edu\/security-controls-catalog\/risk-assessment-ra\/ra-3-risk-assessment\/","title":{"rendered":"RA-3: Risk Assessment"},"content":{"rendered":"\n<h1 class=\"wp-block-heading has-large-font-size\">RA-3: Risk Assessment<\/h1>\n\n\n\n<div style=\"height:20px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" style=\"font-size:16px\"><strong>NIST Baseline: <\/strong>Low&nbsp;<\/h2>\n\n\n\n<h2 class=\"wp-block-heading\" style=\"font-size:16px\"><strong>Privacy Baseline: &nbsp;<\/strong>Yes&nbsp;<\/h2>\n\n\n\n<h2 class=\"wp-block-heading\" style=\"font-size:16px\"><strong>DIR Required By:<\/strong> &nbsp;07\/20\/2023&nbsp;<\/h2>\n\n\n\n<h2 class=\"wp-block-heading\" style=\"font-size:16px\"><strong>Review Date: \u00a0<\/strong>05\/06\/2025\u00a0<\/h2>\n\n\n\n<ul class=\"wp-block-list its-nested-list\">\n<li>Texas A&amp;M University System (TAMUS) <a href=\"https:\/\/policies.tamus.edu\/29-01-03.pdf\" target=\"_blank\" rel=\"noreferrer noopener\">Regulation 29.01.03, Information Security<\/a>, requires an annual information security risk assessment that complies with Texas Administrative Code (TAC) <a href=\"https:\/\/texas-sos.appianportalsgov.com\/rules-and-meetings?$locale=en_US&amp;interface=VIEW_TAC_SUMMARY&amp;queryAsDate=05%2F06%2F2025&amp;recordId=206717\" target=\"_blank\" rel=\"noreferrer noopener\">\u00a7202.75<\/a>. &nbsp;<\/li>\n\n\n\n<li>Information resource custodians must conduct a risk assessment for each High Impact Information Resource every year, for each Moderate Impact Information Resource every other year, for each Low Impact Information Resource every three years. &nbsp;Each risk assessment shall include: &nbsp;\n<ul class=\"wp-block-list\">\n<li>Identifying threats to and vulnerabilities in the system; &nbsp;<\/li>\n\n\n\n<li>Determining the likelihood and magnitude of harm from unauthorized use, disclosure, disruption, modification, or destruction. Risks and impacts will be ranked, at a minimum, as either &#8220;High&#8221;, &#8220;Moderate,&#8221; or &#8220;Low.&#8221; &nbsp;<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>The assessment results, vulnerability reports, and the inventory must be provided to the&nbsp;Tarleton State University (Tarleton) Chief Information Security Officer&nbsp;(CISO) for review as required by TAC <a href=\"https:\/\/texas-sos.appianportalsgov.com\/rules-and-meetings?$locale=en_US&amp;interface=VIEW_TAC_SUMMARY&amp;queryAsDate=05%2F06%2F2025&amp;recordId=206717\" target=\"_blank\" rel=\"noreferrer noopener\">\u00a7202.75<\/a> and TAMUS <a href=\"https:\/\/policies.tamus.edu\/29-01-03.pdf\" target=\"_blank\" rel=\"noreferrer noopener\">Regulation 29.01.03, Information Security<\/a>. &nbsp;<\/li>\n\n\n\n<li>In accordance with TAC <a href=\"https:\/\/texas-sos.appianportalsgov.com\/rules-and-meetings?$locale=en_US&amp;interface=VIEW_TAC_SUMMARY&amp;queryAsDate=05%2F06%2F2025&amp;recordId=206717\" target=\"_blank\" rel=\"noreferrer noopener\">\u00a7202.75<\/a>, approval of the security risk acceptance, transfer, or mitigation decisions are the responsibility of: &nbsp;\n<ul class=\"wp-block-list\">\n<li>The Tarleton CISO or their designee(s), in coordination with the information resource owner, for systems identified with Low or Moderate residual risk. &nbsp;<\/li>\n\n\n\n<li>The President\/CEO or their designee for all systems identified with a High residual risk. &nbsp;<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Assessment results and risk decisions will be used as a basis for the Tarleton Information Security Program as required by TAC <a href=\"https:\/\/texas-sos.appianportalsgov.com\/rules-and-meetings?$locale=en_US&amp;interface=VIEW_TAC_SUMMARY&amp;queryAsDate=05%2F06%2F2025&amp;recordId=206716\" target=\"_blank\" rel=\"noreferrer noopener\">\u00a7202.74<\/a>. See <a href=\"https:\/\/www.tarleton.edu\/security-controls-catalog\/planning-pl\/pl-2-system-security-and-privacy-plans\/\" data-type=\"link\" data-id=\"https:\/\/www.tarleton.edu\/security-controls-catalog\/planning-pl\/pl-2-system-security-and-privacy-plans\/\">Control PL-2, System Security and Privacy Plans<\/a>; <a href=\"https:\/\/www.tarleton.edu\/security-controls-catalog\/program-management-pm\/pm-1-information-security-program-plan\/\">Control PM-1, Information Security Program Plan<\/a>; <a href=\"https:\/\/www.tarleton.edu\/security-controls-catalog\/program-management-pm\/pm-4-plan-of-action-and-milestones-process\/\">Control PM-4, Plan of Action and Milestone Process<\/a>; <a href=\"https:\/\/www.tarleton.edu\/security-controls-catalog\/program-management-pm\/pm-6-measures-of-performance\/\">Control PM-6, Measures of Performance<\/a>; and <a href=\"https:\/\/www.tarleton.edu\/security-controls-catalog\/program-management-pm\/pm-9-risk-management-strategy\/\">Control PM-9, Risk Management Strategy<\/a>. &nbsp;<\/li>\n\n\n\n<li>The schedule of the future risk assessments will be documented as required by TAC <a href=\"https:\/\/texas-sos.appianportalsgov.com\/rules-and-meetings?$locale=en_US&amp;interface=VIEW_TAC_SUMMARY&amp;queryAsDate=05%2F06%2F2025&amp;recordId=206717\" target=\"_blank\" rel=\"noreferrer noopener\">\u00a7202.75,<\/a> in accordance with TAMUS <a href=\"https:\/\/policies.tamus.edu\/29-01-03.pdf\" target=\"_blank\" rel=\"noreferrer noopener\">Regulation 29.01.03, Information Security,<\/a>&nbsp;currently the schedule is based on the information resource impact risk rating of \u201cHigh,\u201d \u201cModerate,\u201d or \u201cLow\u201d:&nbsp;\n<ul class=\"wp-block-list\">\n<li>High Impact Information Resources will have a risk assessment conducted every year;&nbsp;<\/li>\n\n\n\n<li>Moderate Impact Information Resources (maintaining confidential information) will have a risk assessment conducted every other year; and&nbsp;<\/li>\n\n\n\n<li>Low Impact Information Resources (other applicable information resources) will have a risk assessment conducted every three years.&nbsp;&nbsp;&nbsp;<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Information security risk assessments may be excepted from disclosure under Texas Government Code <a href=\"https:\/\/statutes.capitol.texas.gov\/Docs\/GV\/htm\/GV.2054.htm#2054.077\" target=\"_blank\" rel=\"noreferrer noopener\">\u00a72054.077(c)<\/a> or Texas Government Code <a href=\"https:\/\/statutes.capitol.texas.gov\/Docs\/GV\/htm\/GV.552.htm#552.139\" target=\"_blank\" rel=\"noreferrer noopener\">\u00a7552.139<\/a>.&nbsp;<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator alignfull has-text-color has-tarleton-purple-color has-alpha-channel-opacity has-tarleton-purple-background-color has-background is-style-wide\"\/>\n\n\n\n<h3 class=\"wp-block-heading has-medium-font-size\"><strong>References\/Additional Resources<\/strong><\/h3>\n\n\n\n<p><a href=\"https:\/\/www.whitehouse.gov\/sites\/whitehouse.gov\/files\/omb\/circulars\/A130\/a130revised.pdf\" target=\"_blank\" rel=\"noreferrer noopener\">OMB A-130<\/a>&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/doi.org\/10.6028\/NIST.SP.800-30r1\" target=\"_blank\" rel=\"noreferrer noopener\">SP 800-30<\/a>&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/doi.org\/10.6028\/NIST.SP.800-39\" target=\"_blank\" rel=\"noreferrer noopener\">SP 800-39<\/a>&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/doi.org\/10.6028\/NIST.SP.800-161\" target=\"_blank\" rel=\"noreferrer noopener\">SP 800-161<\/a>&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/doi.org\/10.6028\/NIST.IR.8023\" target=\"_blank\" rel=\"noreferrer noopener\">IR 8023<\/a>&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/doi.org\/10.6028\/NIST.IR.8062\" target=\"_blank\" rel=\"noreferrer noopener\">IR 8062<\/a>&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/doi.org\/10.6028\/NIST.IR.8272\" target=\"_blank\" rel=\"noreferrer noopener\">IR 8272<\/a>&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/texreg.sos.state.tx.us\/public\/readtac$ext.TacPage?sl=R&amp;app=9&amp;p_dir=&amp;p_rloc=&amp;p_tloc=&amp;p_ploc=&amp;pg=1&amp;p_tac=&amp;ti=1&amp;pt=10&amp;ch=202&amp;rl=25\" target=\"_blank\" rel=\"noreferrer noopener\">1 TAC \u00a7 202.25<\/a> &nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/texreg.sos.state.tx.us\/public\/readtac$ext.TacPage?sl=R&amp;app=9&amp;p_dir=&amp;p_rloc=&amp;p_tloc=&amp;p_ploc=&amp;pg=1&amp;p_tac=&amp;ti=1&amp;pt=10&amp;ch=202&amp;rl=27\" target=\"_blank\" rel=\"noreferrer noopener\">1 TAC \u00a7 202.27<\/a> &nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/texreg.sos.state.tx.us\/public\/readtac$ext.TacPage?sl=R&amp;app=9&amp;p_dir=&amp;p_rloc=&amp;p_tloc=&amp;p_ploc=&amp;pg=1&amp;p_tac=&amp;ti=1&amp;pt=10&amp;ch=202&amp;rl=75\" target=\"_blank\" rel=\"noreferrer noopener\">1 TAC \u00a7 202.75<\/a> &nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/texreg.sos.state.tx.us\/public\/readtac$ext.TacPage?sl=R&amp;app=9&amp;p_dir=&amp;p_rloc=&amp;p_tloc=&amp;p_ploc=&amp;pg=1&amp;p_tac=&amp;ti=1&amp;pt=10&amp;ch=202&amp;rl=77\" target=\"_blank\" rel=\"noreferrer noopener\">1 TAC \u00a7 202.77<\/a>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>RA-3: Risk Assessment NIST Baseline: Low&nbsp; Privacy Baseline: &nbsp;Yes&nbsp; DIR Required By: &nbsp;07\/20\/2023&nbsp; Review Date: \u00a005\/06\/2025\u00a0 References\/Additional Resources OMB A-130&nbsp; SP 800-30&nbsp; SP 800-39&nbsp; SP 800-161&nbsp; IR 8023&nbsp; IR 8062&nbsp; &#8230;<\/p>\n","protected":false},"author":1,"featured_media":580,"parent":1510,"menu_order":3,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_acf_changed":false,"inline_featured_image":false,"advgb_blocks_editor_width":"","advgb_blocks_columns_visual_guide":"","footnotes":""},"class_list":["post-1761","page","type-page","status-publish","has-post-thumbnail","hentry"],"acf":[],"coauthors":[],"author_meta":{"author_link":"https:\/\/www.tarleton.edu\/security-controls-catalog\/author\/brian-2-2-2-2-2-2-2-2-2-2-2-2-2-2-2-2-2-2-2-3\/","display_name":"brian"},"relative_dates":{"created":"Posted 2 years ago","modified":"Updated 11 months ago"},"absolute_dates":{"created":"Posted on August 6, 2024","modified":"Updated on May 6, 2025"},"absolute_dates_time":{"created":"Posted on August 6, 2024 5:54 pm","modified":"Updated on May 6, 2025 7:35 pm"},"featured_img_caption":"","featured_img":false,"series_order":"","_links":{"self":[{"href":"https:\/\/www.tarleton.edu\/security-controls-catalog\/wp-json\/wp\/v2\/pages\/1761","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.tarleton.edu\/security-controls-catalog\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/www.tarleton.edu\/security-controls-catalog\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/www.tarleton.edu\/security-controls-catalog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.tarleton.edu\/security-controls-catalog\/wp-json\/wp\/v2\/comments?post=1761"}],"version-history":[{"count":3,"href":"https:\/\/www.tarleton.edu\/security-controls-catalog\/wp-json\/wp\/v2\/pages\/1761\/revisions"}],"predecessor-version":[{"id":2662,"href":"https:\/\/www.tarleton.edu\/security-controls-catalog\/wp-json\/wp\/v2\/pages\/1761\/revisions\/2662"}],"up":[{"embeddable":true,"href":"https:\/\/www.tarleton.edu\/security-controls-catalog\/wp-json\/wp\/v2\/pages\/1510"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.tarleton.edu\/security-controls-catalog\/wp-json\/"}],"wp:attachment":[{"href":"https:\/\/www.tarleton.edu\/security-controls-catalog\/wp-json\/wp\/v2\/media?parent=1761"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}