Risk assessment and mitigation are challenging in any environment, but especially in the open and decentralized world of higher education. Texas A&M University developed the ISAAC methodology and tool kit to address this challenge. ISAAC usage has spread beyond the borders of Texas A&M, increasing awareness, facilitating assessment, and enhancing compliance with information security standards not only in other Texas institutions of higher education but also in Texas state agencies. Texas A&M's Jeff McCabe will describe how ISAAC came to be, its purpose and scope, its current status and extent of deployment, and what the future holds. Don Volz of Texas State University-San Marcos will describe how his institution came to adopt ISAAC and how it has helped improve his university's overall security posture.