Statement

Reviews of West Texas A&M University's information security program for compliance with Texas Administrative Code 202 standards will be performed by both internal reviews conducted by the ISO and by individual(s) independent of the information security program.

Applicability

This control applies to all West Texas A&M information resources. The intended audience for this control includes all information resource owners, custodians, and users of information resources.

Implementation

• A review of the University's Securiy Program by qualified individuals independent of the University shall be conducted at least biennially.
• The ISO and CIO will develop the assessment plan that defines the scope of the assessment that includes:
  • University security controls under review
  • Methods or procedures to determine control effectiveness
  • Assessment environment, team members and roles and responsibilities.
• A formal report will be prepared and presented to the CIO for review.
• Reviews of individual information resources or program components for compliance maybe be conducted by IT security throughout the year, based on risk management decisions.