The concept of tailoring allows the university to specialize or customize a set of baseline controls by applying a defined set of tailoring actions. Tailoring actions facilitate such specialization and customization by allowing the university to develop security and privacy plans that reflect its specific mission and business functions, the environments where the systems operate, the threats and vulnerabilities that can affect systems, and any other conditions or situations that can impact mission or business success. The university may add security controls based upon requirements such as CUI, HIPAA, or contractual obligations.

• This control applies to the University Chief Information Security Officer (CISO).

• 1

  The CISO, or designee, has the authority to modify predefined sets of controls by applying specified tailoring actions.