Information Security Controls Catalog
Overview
Texas A&M University–Kingsville (TAMUK) is committed to protecting the confidentiality, integrity, and availability of its information resources. This Information Security Controls Catalog outlines the minimum set of information security controls required to safeguard institutional systems, data, and services in accordance with Texas Administrative Code (TAC) 202, Texas A&M University System Policy 29.01, and the Texas Department of Information Resources (DIR) Security Control Standards Catalog.
The purpose of this catalog is to assist information resource owners, custodians, and users in applying appropriate security controls based on the classification and risk level of the data and systems they manage. It is structured around control families and adopts DIR’s control naming and structure to maintain alignment with state guidance.
This catalog also supports compliance efforts and provides a consistent framework for:
- Identifying and mitigating information security risks
- Implementing security best practices across IT systems
- Supporting institutional continuity and resilience
- Enabling secure research, academic, and administrative operations
Exemptions to specific controls must be formally documented, justified through risk assessments, and approved by TAMUK’s Information Security Officer (ISO) in accordance with TAMUK’s Information Security Standards and Procedures.
This catalog is also aligned with the Texas A&M University System (TAMUS) Security Controls Catalog, which provides detailed implementation guidance and system-wide expectations across all TAMUS member institutions.
Access Control (AC)
Controls that govern how users access systems and data, including authentication methods, role-based permissions, session limits, and remote access protocols.
Awareness and Training (AT)
Ensures all users receive appropriate training on security responsibilities, acceptable use policies, and recognizing cybersecurity threats like phishing or malware.
Audit and Accountability (AU)
Provides guidance on logging system activities, reviewing audit records, and ensuring accountability for actions performed within IT systems.
Security Assessment and Authorization (CA)
Covers processes for evaluating, authorizing, and monitoring information systems to ensure they meet security requirements prior to and during operation.
Configuration Management (CM)
Focuses on establishing secure configurations for systems, controlling changes, and documenting hardware/software inventory to reduce vulnerabilities.
Contingency Planning (CP)
Defines strategies for maintaining and restoring operations during and after a disruption, including data backup, recovery, and continuity plans.
Identification and Authentication (IA)
Describes how individuals and devices are identified and authenticated before being granted access to information systems.
Incident Response (IR)
Establishes procedures for detecting, responding to, and recovering from security incidents, including roles, responsibilities, and communication protocols.
Maintenance (MA)
Covers the secure execution of system maintenance activities, both on-site and remotely, to ensure operational integrity without introducing risk.
Media Protection (MP)
Outlines how to safeguard sensitive information stored on physical or digital media throughout its lifecycle, from creation to disposal.
Physical and Environmental Protection (PE)
Addresses physical safeguards to protect IT assets and facilities from unauthorized access, environmental hazards, and physical damage.
Planning (PL)
Involves the development of security-related plans, including strategic and system-specific documentation, to guide and support IT governance.
Personnel Security (PS)
Provides controls related to screening, training, and managing personnel who access systems to prevent insider threats and unauthorized activity.
Risk Assessment (RA)
Focuses on identifying, analyzing, and managing risks to IT systems and data to prioritize mitigation strategies based on impact.
System and Services Acquisition (SA)
Ensures that security requirements are integrated into the planning, development, and procurement of systems and services, including third-party contracts.
System and Communications Protection (SC)
Covers network security, data encryption, and secure communications to protect the confidentiality and integrity of information in transit or at rest.
System and Information Integrity (SI)
Describes how to detect, report, and correct system flaws or vulnerabilities and ensure data integrity through monitoring and antivirus controls.
- Responsible Disclosure: Submit findings privately, ensuring details are not shared publicly until TAMUK has had an opportunity to review and address the issue.
- Detailed Reporting: Provide a clear description of the vulnerability, steps to reproduce it, and any relevant information to assist the security team in verification and remediation.
- Avoid Exploitation: Do not exploit the vulnerability or access data without authorization. The goal is to improve system security, not cause harm.
- Respect Privacy: If the vulnerability involves sensitive data, refrain from accessing or disclosing that data without proper authorization
TAMUK's Commitment:
- Acknowledge receipt of the report promptly.
- Work to resolve the vulnerability promptly and keep the reporter informed of the status.
- Issue fixes and security updates as quickly as possible.
- When appropriate, publicly disclose the vulnerability and credit the reporter for their contribution to system security.
- To report a vulnerability, please visit the TAMUS Vulnerability Reporting Page.