Risk Management Cycle Accessible Version


The Information Security Office facilitates formal, ongoing risk assessments for software, services, and other high-value information resources that need a regular security check-up. Service Evaluations and Risk Assessments help assess, document, and manage security risks posed to university information resources. Each serve a different purpose in the risk management lifecycle.

Service Evaluations

Service Evaluations are conducted by the ISO before things like systems, services, and software are set up and put into use. The ISO reviews information about how a service will be used, what data it will handle, how it can protect that information, and what risks it may present to the university. If necessary, the service is also flagged for annual or biennial, recurring risk assessments. The ISO then creates a data security plan to help ensure the service can be used safely.

Risk Assessments

Risk Assessments are a separate process from service evaluations. They are required for high-value and high-risk services, systems, locations, networks, and workstations to quantify risks they present to the university and to ensure compliance with good practice. Unlike service evaluations, risk assessments must be completed annually or biennially (depending on the risk presented by the service) by the information resource owners and custodians outside of the ISO.

How a Service or Software gets Evaluated:

Procuring new software or services at Texas State university requires a security review, among other things. Below is the general process for how a software or service is handled by the ISO.

  1. Software or service is evaluated
    All new, and some renewing, software and services must go through a service evaluation. Find out more on the Software and Service Evaluation page.

  2. Software is either denied or approved
    After evaluation, a software or service can be either approved or not. If approved, the ISO will establish a security plan which must be accepted by the Information Resource Owner in order to implement the software or service.

  3. Monitoring / Maintenance
    Once a software or service is implemented, the Information Resource Owners and Information Resource Custodians are responsible for managing permissions, running updates, and reporting security incidents to the ISO as soon as they are discovered.

  4. Reassessment and Monitoring
    The risk profile of a software or service will determine what kind of reassessment cycle may be required. This will be determined at the time of implementation. Ongoing monitoring and reassessment of objects and devices.

Expand All Content