Controls Catalog Groups
Access Control (AC)
- Access Control Policy and Procedures (AC-1)
- Account Management (AC-2)
- Access Enforcement (AC-3)
- Separation of Duties (AC-5)
- Least Privilege (AC-6)
- Unsuccessful Logon Attempts (AC-7)
- System Use Notification (AC-8)
- Session Lock (AC-11)
- Permitted Actions without Identification or Authentication (AC-14)
- Remote Access (AC-17)
- Wireless Access (AC-18)
- Access Control for Mobile Devices (AC-19)
- Uses of External Information Systems (AC-20)
- Publicly Accessible Content (AC-22)
Audit and Accountability (AU)
- Audit and Accountability Policy and Procedures (AU-1)
- Audit Events (AU-2)
- Content of Audit Records (AU-3)
- Audit Storage Capacity (AU-4)
- Response to Audit Processing Failures (AU-5)
- Audit Review, Analysis, and Reporting (AU-6)
- Time Stamps (AU-8)
- Protection of Audit Information (AU-9)
- Audit Record Retention (AU-11)
- Audit Generation (AU-12)
Configuration Management (CM)
- Configuration Management Policy and Procedures (CM-1)
- Baseline Configuration (CM-2)
- Configuration Change Control (CM-3)
- Security Impact Analysis (CM-4)
- Access Restrictions for Change (CM-5)
- Configuration Settings (CM-6)
- Least Functionality (CM-7)
- Information System Component Inventory (CM-8)
- Software Usage Restrictions (CM-10)
- User Installed Software (CM-11)
Identification and Authentication (IA)
- Identification and Authentication Policy and Procedures (IA-1)
- Identification and Authentication (Organizational Users) (IA-2)
- Identifier Management (IA-4)
- Authenticator Management (IA-5)
- Authenticator Feedback (IA-6)
- Cryptographic Module Authentication (IA-7)
- Identification and Authentication (Non-Organizational Users) (IA-8)
- Re-Authentication (IA-11)
Physical and Environmental Protection (PE)
- Physical and Environment Protection Policies and Procedures (PE-1)
- Physical Access Authorization (PE-2)
- Physical Access Control (PE-3)
- Monitoring Physical Access (PE-6)
- Visitor Access Records (PE-8)
- Emergency Lighting (PE-12)
- Fire Protection (PE-13)
- Temperature and Humidity Controls (PE-14)
- Water Damage Control (PE-15)
- Delivery and Removal (PE-16)
- Alternate Work Site (PE-17)
Program Management (PM)
- Information Security Program Plan (PM-1)
- Senior Information Security Officer (PM-2)
- Information Security Resources (PM-3)
- Plan of Action and Milestone Process (PM-4)
- Information System Inventory (PM-5)
- Information Security Measures of Performance (PM-6)
- Enterprise Architecture (PM-7)
- Risk Management Strategy (PM-9)
- Authorization Process (PM-10)
- Testing, Training, and Monitoring (PM-14)
- Security and Privacy Groups and Associations (PM-15)
- Threat Awareness Program (PM-16)
System and Service Acquisition (SA)
- System and Services Acquisition Policy and Procedures (SA-1)
- Allocation of Resources (SA-2)
- System Development Lifecycle (SA-3)
- Acquisition Process (SA-4)
- Information System Documentation (SA-5)
- Security and Privacy Engineering Principles (SA-8)
- External Information System Services (SA-9)
- Developer Configuration Management (SA-10)
- Developer Testing and Evaluation (SA-11)
- Unsupported System Components (SA-22)
System and Communication Protection (SC)
- System and Communications Protection Policy and Procedures (SC-1)
- Denial of Service Protection (SC-5)
- Boundary Protection (SC-7)
- Transmission Confidentiality and Integrity (SC-8)
- Cryptographic Key Establishment and Management (SC-12)
- Cryptographic Protection (SC-13)
- Collaborative Computing Devices (SC-15)
- Secure Name/Address Resolution Service (Authoritative Source) (SC-20)
- Secure Name/Address Resolution Service (Recursive or Caching Resolver) (SC-21)
- Architecture and Provisioning for Name/Address Resolution Service (SC-22)
- Process Isolation (SC-39)
The Texas A&M Information Security Controls Catalog establishes the minimum standards and controls for university information security in accordance with the state's Information Security Standards for Institutions of Higher Education found in Title 1, Chapter 202, Texas Administrative Code (TAC 202).
The purpose of this Controls Catalog is to provide Texas A&M University information owners and users with specific guidance for implementing security controls conforming to security control standards currently required in the Texas Department of Information Resources (DIR) Security Control Standards Catalog, Version 1.3.
Each control group is organized under its two-letter group identification code and title, and adopts the numbering format of the DIR Security Control Standards Catalog.
Exceptions
The information resource owner is responsible for ensuring that the protection measures in the Security Controls Catalog are implemented. Based on risk management considerations and business functions, the resource owner may request to exclude certain protection measures mandated by a control in favor of an alternate mitigation. This process is described in detail in SAP 29.01.03.M0.03 - Exceptions from Required Risk Mitigation Measures.
Use the IT Policy Exception Request form to request an exception to any security control. Once submitted and processed by the office of the CISO, an opinion for approval or denial will be submitted back to the requestor.