1. Is there a cost to use ISAAC?
2. What is required for access?
3. Does failure to perform a security risk assessment affect my agency's IRDR?
4. What kind of equipment and software is needed?
5. Is the data submitted into ISAAC secured?
6. What happens to my data if the session is timed out?
7. Is user training provided?
8. Can I change my password? What if I forget my password or lock out my account?

1. Is there a cost to use ISAAC? 

The DIR Office of the CISO has licensed ISAAC from Texas A&M University and pays an annual maintenance fee that permits State agencies to ISAAC in support of their agency risk assessment activities.

2. What is required for access? 

An agency wishing to use ISAAC must designate a security administrator to serve as central point of contact and at least one system administrator to enter assessment data into the ISAAC tool. The agency must also provide TAMU with an outward facing IP address to enable establishing a secure connection from the agency to the TAMU hosted web-based tool.

3. Does failure to perform a security risk assessment affect my agency’s IRDR?

The agency IRDR process requires agencies to report if they have completed a security risk assessment. Agencies may use the ISAAC tool to complete those security risk assessments.

4. What kind of equipment and software is needed? 

The agency will require an internet connection and a browser for authorized access to the ISAAC web-based tool. Note that the ISAAC site is optimized for internet Explorer, requires JavaScript to be enabled, and requires the browser to accept cookies.

5. Is the data submitted into ISAAC secured?

Yes, data is securely transmitted to and stored in the ISAAC application. Additionally DIR performs annual web application vulnerability scan engagements on the ISAAC tool environment.

6. What happens to my data if the session is timed out?

All data entered on a web form and not saved to the ISAAC application will be lost if web connectivity to ISAAC is unexpectedly lost (loss of connectivity) or if the web session remains inactive for more than 45 minutes (session time-out).

7. Is user training provided? 

Yes, user training is provided via webinars, which are scheduled periodically to provide agency training and assistance with ISAAC tool use. The ISAAC tool contains online help and pop ups to guide an agency through the risk assessment process.

8. Can I change my password? What if I forget my password or lock out my account?

Yes, authorized users (security and system administrators) may change their passwords after a successful log-in to the ISAAC tool. If an authorized user has lost or forgotten their ISAAC password, they may contact DIR’s Security Division for assistance.