The university develops, disseminates, and periodically reviews/updates formal, documented procedures to facilitate the implementation of the Security Planning policy and associated Security Planning controls.

The university (Chief Information Security Officer) develops and implements a security plan that provides an overview of the security requirements and a description of the security controls in place or planned for meeting those requirements.

The university defines scope, behavior, practices and compliance pertaining to use of information resources.

The university develops, disseminates, and periodically reviews/updates formal, documented policies and standards to facilitate information security. Control baselines are predefined sets of controls specifically assembled to address the protection needs of the university. The Texas A&M Information Security Controls Catalog represents the baseline to satisfy mandates imposed by the State of Texas and/or the Texas A&M University System. Baselines represent a starting point for the protection of individuals’ privacy, information, and information systems with subsequent tailoring actions to manage risk in accordance with mission, business, or other constraints.

The concept of tailoring allows the university to specialize or customize a set of baseline controls by applying a defined set of tailoring actions. Tailoring actions facilitate such specialization and customization by allowing the university to develop security and privacy plans that reflect its specific mission and business functions, the environments where the systems operate, the threats and vulnerabilities that can affect systems, and any other conditions or situations that can impact mission or business success. The university may add security controls based upon requirements such as CUI, HIPAA, or contractual obligations.