Section 2: Risk ManagementAnchor: #i1052966
This section establishes how TxDOT’s Risk Management Program protects its investment in information assets through a methodical approach to identify, assess, and reduce risks. It describes the minimum protocol and responsibilities that must be in place to effectively respond to risks and monitor progress. Risk Management provides a cyclical review process to address the “Identify” objective of the Texas CyberSecurity Framework.Anchor: #i1052984
TxDOT will establish a process of managing risks in a consistent manner. This risk management process will begin during all project development and continue throughout the lifetime of the investment. To accomplish this, it must:
- identify risks
- conduct risk assessments
- document results
- create response plans
- establish ownerships
- monitor response activities.
Requests for exceptions or exemptions from this protocol must originate with the Information Owner and route to the Information Security Officer through the Agency’s Exceptions Request Process. The following “Responsibilities” discussions provides broad information for any owner seeking an exception to security controls.Anchor: #i1053001
Individuals who use information resources must reduce risks, including:
- identifying all significant known risks
- avoiding unnecessary or unreasonable exposures
- initiating reasonable and appropriate responses.
Information Owners who request exceptions from security controls must provide:
- documented business reasons
- accountability for ensuring TxDOT’s investment is protected.
The Information Security Officer (ISO) must:
- administer the Risk Management Program
- oversee the Risk Registermonitor risks responses
- review, then approve or deny exception requests.
Compliance and Standards
See the “Risk Management Standards” in the Information Security Standards manual for a list of the minimum standards necessary to comply with this objective of the Investment Protection Policy.