Information Security Controls Catalog

The Texas A&M Information Security Controls Catalog is our university's implementation of standardized security controls based on NIST 800-53 and mandated by Texas Administrative Code §202. It provides specific guidance for protecting university information systems and data across all departments and roles.

The catalog contains 21 control families covering the full spectrum of information security. Some key control areas include:

• Access Control (AC): Who can access systems and under what conditions
• Data Classification (DC): How data is categorized, managed, and protected
• Configuration Management (CM): Managing system settings to prevent unauthorized changes
• Incident Response (IR): Procedures for detecting and responding to security incidents
• Risk Assessment (RA): Identifying and evaluating security risks

Go to Controls Catalog

Every member of the Texas A&M community has a role to play in keeping our digital assets safe:

Information Resource Users (All Faculty, Staff, Students):

• Follow established security policies and procedures
• Report suspected security incidents immediately
• Protect login credentials and access privileges

Information Resource Owners (Department Heads, Principal Investigators):

• Ensure controls are applied to systems under your oversight
• Allocate resources for security implementation
• Work with IT to prioritize security measures

Information Resource Custodians (IT Staff, System Administrators):

• Configure systems to meet prescribed security controls
• Implement day-to-day security operations

Monitor compliance with established standards

The Texas A&M controls catalog builds upon a multi-level framework of security standards. Starting with the federal NIST 800-53 controls as the foundation, the State of Texas created the Security Controls Standards Catalog (Version 1.3) that adds state-specific requirements and clarifications. From that standard, the Texas A&M University System developed a catalog implementation tailored to higher education needs. Finally, our campus-specific catalog incorporates all previous levels while adding implementation details specific to Texas A&M operations. Each level becomes more specific and may impose stricter requirements than the level above it, ensuring our security measures meet or exceed all federal, state, system, and institutional standards.

Recognizing the evolving nature of cybersecurity threats, the catalog undergoes periodic reviews and updates. Feedback from stakeholders and changes in regulatory landscapes inform these revisions, ensuring that the controls remain effective and relevant. The IT Advisory Group, made up of subject matter experts from throughout Technology Services, offers input into the drafting and revisions of Security Controls. The process for managing the notification and updates of the catalog is described in university SAP 29.01.03.M0.01: Security of Electronic Information Resources.

If you have any questions about the controls catalog, or need further assistance in understanding or implementing these controls, please reach out to us at it-policy@tamu.edu.

Compliance with the controls catalog is required by university SAP 29.01.03.M0.01 §4 . The university regularly assesses compliance with security controls through:

• Automated security scans and monitoring
• Regular audits of high-risk systems
• Self-assessments by departments and units
• Third-party security evaluations

Non-compliance can result in system access restrictions, increased monitoring, or required remediation activities. In rare cases where business needs conflict with security controls, you may request an exception.