At Texas A&M, state law requires us to perform annual risk assessments for all IT resources (laptops, servers, applications, etc.). Usually this assessment is performed by professional IT staff for your unit, but in some cases it must be completed by individuals who manage an IT resource.
Per system and university requirements, annual IT risk assessments are performed to help measure the level of compliance with university IT policies (rules, SAPs, security controls). The results show areas where improvement will raise the baseline security posture for the entire university.
Staff and faculty who manage their own IT resources (e.g., a faculty-managed server) are required to perform an IT risk assessment each year.
Assessment Instructions
Identify which assessment(s) you are required to complete for the IT resources that you solely manage.
- Application Assessment - individuals that are solely responsible for managing moderate or high impact networked applications used for university business and/or store university data.
If you are not sure what the application's impact level is, use the impact level calculator. - End-User Device Assessment - individuals that are solely responsible for managing end-user devices (e.g., desktop, laptop, tablet, etc.). Devices with different operating systems (Windows, macOS) must be assessed separately.
- Server Assessment - individuals that are solely responsible for managing physical and/or virtual servers, including IT resources that perform server functions (e.g., web server, file server, etc). Physical and virtual servers can be assessed together if they have the same operating system, and the operating system for all servers being assessed is still officially supported by the vendor.
Your unit IT staff can help you determine which assessment(s) you need to complete.
A single assessment may be completed for a group of IT resources that are managed the same way.
A lab of laptops and desktops that are solely managed can all be grouped together into one end-user device assessment if those devices are all managed the same way.
A professor who solely manages servers and a laptop for research will have two assessments.
- One server assessment for the solely managed servers.
- One end-user device assessment for the desktop.
If Lab 1 has laptops managed the same way but different from the group of laptops in Lab 2, then one end-user device assessment will need to be completed for each group of laptops.
2. (Optional) Review help documentation before beginning the assessment.
These help documents provide a roadmap for the assessment: the questions, answer choices, and additional information to help you complete the assessment quickly. Logic has been applied in some cases to reduce the number of questions that must be answered for your specific IT resource.
Typically, an assessment can be completed directly in the Google Form. If you want to see an overview of all possible questions before you begin, use the links below:
3. Once you are ready to complete the assessment, click the appropriate link to access the Google Form.
The Google Form should be completed all at once. You cannot save your information and come back later to complete. The Google Form requires you to complete the current section before moving to the next.
The assessments are split up into main sections. Section 1 is used to gather general information and the assessment questions start in the next section. Your answers for some questions will determine the questions in the next section; this is done to skip questions that do not apply to your IT resource.
Each question in the assessment relates to a security control which must be followed by anyone that manages an IT resource. When possible, a link directly to the university requirement that prompted each question has been provided. All questions are required to be answered.
4. Complete the assessment and click "Submit."
After you click Submit, a confirmation message will appear, and your responses will be sent to the email address you provided at the beginning of the assessment.