Information Security Controls Catalog

Overview

The Information Security Control Catalog establishes the minimum standards and controls for university information security in accordance with the state's Information Security Standards for Institutions of Higher Education found in Title 1, Chapter 202, Texas Administrative Code (TAC 202).

The purpose of this Control Catalog is to provide Texas A&M University-Kingsville information owners and users with specific guidance for implementing security controls conforming to security control standards currently required in the Texas Department of Information Resources (DIR) Security Control Standards Catalog, Version 1.3.

Each control group is organized under its two-letter group identification code and title, and adopts the numbering format of the DIR Security Control Standards Catalog.

Exclusions

The information resource owner or designee (e.g., custodian, user) is responsible for ensuring that the protection measures in the Security Control Catalog are implemented. Based on risk management considerations and business functions, the resource owner may request to exclude certain protection measures provided in a Control. All exclusions must be in accordance with the procedures highlighted in the Information Security Controls Exclusion Process.


Controls

ACCESS CONTROL

  • AC-1 Access Control Policy and Procedures [pending]
  • AC-2 Account Management
  • AC-3 Access Enforcement [pending]
  • AC-5 Separation Of Duties
  • AC-8 System Use Notification [pending]
  • AC-18 Wireless Access

AWARENESS AND TRAINING

  • AT-1 Security Awareness and Training Policy and Procedures [pending]
  • AT-2 Security Awareness and Training

AUDIT AND ACCOUNTABILITY

  • AU-2 Audit Events

SECURITY ASSESSMENT AND AUTHORIZATION

  • CA-2 Security Assessments [pending]

CONFIGURATION MANAGEMENT

  • CM-1 Configuration Management Policy and Procedures
  • CM-4 Security Impact Analysis [pending]
  • CM-11 User-Installed Software

CONTINGENCY PLANNING

  • CP-2 Contingency Plan
  • CP-4 Contingency Plan Testing [pending]
  • CP-6 Alternate Storage Site [pending]

IDENTIFICATION AND AUTHENTICATION

  • IA-1 Identification and Authentication Policy and Procedures [pending]
  • IA-2 Identification and Authentication (Organizational Users) [pending]
  • IA-4 Identifier Management [pending]

INCIDENT RESPONSE

  • IR-1 Incident Response Policy and Procedures [pending]
  • IR-6 Incident Reporting

MEDIA PROTECTION

  • MP-6 Media Sanitization [pending]

PHYSICAL AND ENVIRONMENTAL PROTECTION

  • PE-1 Physical and Environmental Protection Policy and Procedures
  • PE-13 Fire Protection [pending]

PLANNING

  • PL-2 System Security Plan [pending]

PROGRAM MANAGEMENT

  • PM-1 Information Security Program Plan [pending]
  • PM-2 Senior Information Security Officer [pending]
  • PM-3 Information Security Resources [pending]

PERSONNEL SECURITY

  • PS-2 Position Risk Designation [pending]

RISK ASSESSMENT

  • RA-2 Security Categorization
  • RA-3 Risk Assessment

SYSTEM AND SERVICE ACQUISITION

  • SA-3 System Development Life Cycle
  • SA-4 Acquisition Process
  • SA-10 Developer Configuration Management

SYSTEM AND COMMUNICATION PROTECTION

  • SC-5 Denial Of Service Protection
  • SC-8 Transmission Confidentiality and Integrity
  • SC-13 Cryptographic Protection

SYSTEM AND INFORMATION INTEGRITY

  • SI-3 Malicious Code Protection
  • SI-4 Information System Monitoring

This page was last updated on: February 20, 2018