Security Assessment and Authorization Policy and Procedures (CA-1)
The university develops, disseminates, and periodically reviews/updates formal, documented procedures to facilitate the implementation of the Security Assessment and Authorization policy and associated Security Assessment and Authorization controls.
Security Assessments (CA-2)
A review of the university's information security program for compliance with Texas Administrative Code 202 standards will be performed at least biennially, based on business risk management decisions, by individual(s) independent of the information security program and designated by the university President or his or her designee.
System Interconnection (CA-3)
The university authorizes all dedicated connections from university information resources to other information resources outside of the university through the use of system connection agreements and monitors/controls the connections on an ongoing basis.
Plan of Action and Milestones (CA-5)
The university identifies, accepts, mitigates, and responds to risks identified in the annual risk assessments with actionable plans and decisions.
Security Authorization (CA-6)
The university authorizes the information resource for processing before operations or when there is a significant change to the system
Continuous Monitoring (CA-7)
The university monitors security controls for information resources on an ongoing basis.
Penetration Testing (CA-8)
The university conducts penetration testing of information resources based on risk management decisions. Penetration testing can be conducted internally or externally on the hardware, software, or firmware components of a system and can exercise both physical and technical controls.
Internal System Connection (CA-9)
The university has a procedure for authorizing internal interfaces between information resources.