Exemptions to specific controls must be formally documented, justified through risk assessments, and approved by TAMUK’s Information Security Officer (ISO) in accordance with TAMUK’s Information Security Standards and Procedures.

This catalog is also aligned with the Texas A&M University System (TAMUS) Security Controls Catalog, which provides detailed implementation guidance and system-wide expectations across all TAMUS member institutions.

Access Control (AC)

Controls that govern how users access systems and data, including authentication methods, role-based permissions, session limits, and remote access protocols.

Awareness and Training (AT)

Ensures all users receive appropriate training on security responsibilities, acceptable use policies, and recognizing cybersecurity threats like phishing or malware.

Audit and Accountability (AU)

Provides guidance on logging system activities, reviewing audit records, and ensuring accountability for actions performed within IT systems.

Security Assessment and Authorization (CA)

Covers processes for evaluating, authorizing, and monitoring information systems to ensure they meet security requirements prior to and during operation.

Configuration Management (CM)

Focuses on establishing secure configurations for systems, controlling changes, and documenting hardware/software inventory to reduce vulnerabilities.

Contingency Planning (CP)

Defines strategies for maintaining and restoring operations during and after a disruption, including data backup, recovery, and continuity plans.

Identification and Authentication (IA)

Describes how individuals and devices are identified and authenticated before being granted access to information systems.

Incident Response (IR)

Establishes procedures for detecting, responding to, and recovering from security incidents, including roles, responsibilities, and communication protocols.

Maintenance (MA)

Covers the secure execution of system maintenance activities, both on-site and remotely, to ensure operational integrity without introducing risk.

Media Protection (MP)

Outlines how to safeguard sensitive information stored on physical or digital media throughout its lifecycle, from creation to disposal.

Physical and Environmental Protection (PE)

Addresses physical safeguards to protect IT assets and facilities from unauthorized access, environmental hazards, and physical damage.

Planning (PL)

Involves the development of security-related plans, including strategic and system-specific documentation, to guide and support IT governance.

Personnel Security (PS)

Provides controls related to screening, training, and managing personnel who access systems to prevent insider threats and unauthorized activity.

Risk Assessment (RA)

Focuses on identifying, analyzing, and managing risks to IT systems and data to prioritize mitigation strategies based on impact.

System and Services Acquisition (SA)

Ensures that security requirements are integrated into the planning, development, and procurement of systems and services, including third-party contracts.

System and Communications Protection (SC)

Covers network security, data encryption, and secure communications to protect the confidentiality and integrity of information in transit or at rest.

System and Information Integrity (SI)

Describes how to detect, report, and correct system flaws or vulnerabilities and ensure data integrity through monitoring and antivirus controls.

Texas A&M University–Kingsville (TAMUK) encourages the responsible disclosure of security vulnerabilities to enhance the security of its information systems. In alignment with the Texas A&M University System's Public Vulnerability Disclosure Program, TAMUK invites individuals to report potential security issues discovered through good-faith research.

• Responsible Disclosure: Submit findings privately, ensuring details are not shared publicly until TAMUK has had an opportunity to review and address the issue.
• Detailed Reporting: Provide a clear description of the vulnerability, steps to reproduce it, and any relevant information to assist the security team in verification and remediation.
• Avoid Exploitation: Do not exploit the vulnerability or access data without authorization. The goal is to improve system security, not cause harm.
• Respect Privacy: If the vulnerability involves sensitive data, refrain from accessing or disclosing that data without proper authorization