|(a) A risk assessment of information resources shall be performed and documented. The risk assessment shall be updated based on the inherent risk. The inherent risk and frequency of the risk assessment will be ranked, at a minimum, as either "High," "Medium," or "Low," based primarily on the following criteria: (1) High Risk-annual assessment--Information resources that: (A) Involve large dollar amounts or significantly important transactions, such that business or government processes would be hindered or an impact on public health or safety would occur if the transactions were not processed timely and accurately, or (B) Contain confidential or other data such that unauthorized disclosure would cause real damage to the parties involved, or (C) Impact a large number of people or interconnected systems. (2) Medium Risk-biennial assessment--Information resources that: (A) Transact or control a moderate or low dollar value, or (B) Data items that could potentially embarrass or create problems for the parties involved if released, or (C) Impact a moderate proportion of the customer base. (3) Low Risk-biennial assessment--Information resources that: (A) Publish generally available public information, or (B) Result in a relatively small impact on the population. (b) A system change could cause the overall classification to move to another risk level. (c) Risk assessment results, vulnerability reports, and similar information shall be documented and presented to the institution of higher education head or his or her designated representative. The institution of higher education head or his or her designated representative(s) shall make the final risk management decisions to either accept exposures or protect the data according to its value/sensitivity. The institution of higher education head or his or her designated representative(s) shall approve the security risk management plan. This information may be exempt from disclosure under §2054.077(c), Government Code.