Background
The university’s IT risk assessment process requires units to address areas where non-compliance is identified. This will include risk management decisions and corrective action plans.
- Risk management decisions provide justification for accepting a risk while maintaining current compliance levels.
- Corrective action plans describe how the unit will improve compliance in the future. The actions may require additional resources (e.g., funding, personnel, equipment, etc.) to improve compliance.
Risk assessments, corrective actions, and risk management decisions will become a part of the IT risk management planning for the unit and provide input to university IT risk management planning
Generating Findings
After the IT risk assessment is approved by the reviewer, the assessor is responsible for responding to any resulting findings. A finding is generated when a unit is not fully compliant with a university IT requirement.
Most questions in an IT risk assessment are related to university requirements (university security controls, TAMU Standard Administrative Procedures). There are a few questions that may not correspond to existing university requirements; these are used to help prepare for future requirements. Only questions related to university requirements generate a finding.Responding to Findings
Assessors are responsible to respond to findings. These responses are the assessor’s opportunity to justify the risk management decision or describe the corrective action plan to mitigate the risk represented by the findings.
The assessor should work with the Division Risk Assessment Coordinator (D-RAC) and/or other senior IT staff in order to come up with acceptable responses. The dean or VP should be informed of responses that require changes in resources (e.g. funding, personnel, equipment, etc.) to improve compliance in certain areas since they will sign off on all assessments for their college or division.