Information Security Program Plan (PM-1)
Under Texas Administrative Code §202.74, Institution Information Security Program, the university shall implement an information security program that includes protections, based on risk, for all information and information resources against unauthorized access, use, disclosure, modification, or destruction, including assuring the availability, confidentiality, and integrity of information.
Senior Information Security Officer (PM-2)
Texas A&M, as a State University, is required to comply with Texas Administrative Code, Title 1, Chapter 202 (TAC 202). The TAC 202 assigns responsibility for the protection of information resources to the President of the University. For the purposes of this Control, the authority and responsibility regarding the university's compliance with TAC 202 have been delegated by the President to the Chief Information Officer (CIO).
Information Security Resources (PM-3)
Texas Administrative Code (TAC), Rule §202.70(2) requires the head of each state institution of higher education or his/her designated representative(s) to allocate resources for ongoing information security remediation, implementation, and compliance activities that reduce risk to a level acceptable to the institution head.
Plan of Action and Milestone Process (PM-4)
The University shall develop and update, a plan of action and milestone process for security information resources that document the University's planned, implemented, and evaluated remedial actions to correct deficiencies noted during the assessment of the security controls in order to reduce or eliminate known vulnerabilities in the system.
Information System Inventory (PM-5)
To properly assess risk for the University, information resource assets shall be clearly identified and inventoried.
Information Security Measures of Performance (PM-6)
Information Security Measures of Performance include assessments of risk, identification of corrective actions, and mitigation efforts to secure University information resources.
Enterprise Architecture (PM-7)
Reviewing the implementation of new technology infrastructure or modifications to existing technology infrastructure ensures that the use of information resources is in line with strategic goals.
Risk Management Strategy (PM-9)
The university develops a risk management strategy to secure university operations and assets.
Authorization Process (PM-10)
The university integrates authorization processes into its risk management program.
Testing, Training, and Monitoring (PM-14)
It is important that activities associated with security and privacy testing, training and monitoring are coordinated across the university. Coordination enables plans and activities to be informed by current threat and vulnerability assessments.
Security and Privacy Groups and Associations (PM-15)
The university maintains ongoing contact with security and privacy groups and associations which is important in an environment of rapidly changing technologies and threats. Groups and associations include special interest groups, professional associations, forums, news groups, users’ groups, and peer groups of security and privacy professionals in higher education and similar organizations.
Threat Awareness Program (PM-16)
The University is responsible for establishing and promoting a suitable and relevant threat awareness program to enhance awareness of University information security policies and procedures.