IT Policy Hierarchy

Understanding IT policies and regulations can often seem overwhelming. At Texas A&M University, we strive to simplify this complexity by clearly outlining how laws, rules, and institutional guidelines shape our practices. IT policies help maintain our digital environment's security, integrity, and compliance, ultimately protecting both individuals and the broader university community.

IT policies provide clear standards and expectations, guiding the responsible and secure use of technology resources. They serve several key purposes:

• Protecting Data and Privacy: Policies ensure sensitive university information—including student records, research data, and financial information—is appropriately protected.
• Meeting External Requirements: Policies help Texas A&M adhere to federal and state laws, regulations, and guidelines, avoiding legal and financial risks.
• Facilitating Safe Technology Use: Clear policies provide guidelines for secure technology usage, helping prevent cyber threats and ensuring the digital safety of the university community.

IT policy at Texas A&M is part of a structured hierarchy that spans from broad federal regulations down to university-specific rules. Understanding this layered structure helps illustrate how policies are developed and implemented.

Layer 1: Federal Legislation and Administrative Rulemaking

At the foundation of our policy structure are federal laws, regulations, and standards. These include the U.S. Code, the Code of Federal Regulations, and frameworks developed by agencies like the National Institute of Standards and Technology (NIST). Examples include:

• NIST 800-53 and NIST 800-171: Define security controls for protecting federal information systems and Controlled Unclassified Information (CUI).
• CMMC (Cybersecurity Maturity Model Certification): Establishes cybersecurity standards for defense contractors, research institutions, and associated entities.
• NSPM-33 (National Security Presidential Memorandum 33): Outlines protections and transparency for federally funded research.

These federal regulations provide the baseline for many cybersecurity and information handling requirements when federal partners or data are involved.

Layer 2: State of Texas Legislation and Administrative Rules

Typically building upon federal guidelines, the State of Texas adds specific legislative and administrative rules. Texas A&M University, as a public institution, must adhere closely to these standards. Important state-level requirements include:

• Texas Administrative Code §202: Sets cybersecurity and data management standards for state agencies and institutions of higher education.
• Texas Government Code §2054: Mandates procedures around technology procurement, cybersecurity incident response, and technology standards.
• Texas Department of Information Resources (DIR): Provides state-wide standards and controls aligned with federal frameworks, specifically NIST-53, guiding technology usage and data protection practices.
• DIR Security Controls Standards Catalog: Mandated by TAC §202.76, this is a comprehensive set of security controls that is based on the NIST 800-53 controls standard, and required for all state information resources.

Compliance with state-level regulations ensures consistent cybersecurity practices across Texas public entities, providing additional layers of accountability and governance.

Layer 3: Texas A&M System Regulations

The Texas A&M University System further refines and localizes federal and state requirements by developing system-wide regulations, policies, and control catalogs. These documents articulate expectations for cybersecurity practices, data governance, and technology management across all member institutions within the System.

Key documents include:

• System Policies: High-level guidelines outlining the System's position on subject matters, and providing mandates to all System members. System Policy 29.01 Information Resources outlines policy for IT security, data management, and technology use.
• System Regulations: More detailed instructions for implementing broader policies at each campus or agency within the Texas A&M System. IT regulations are found in the 29 chapter of the System Policy and Regulation Library.
• System Controls Catalog: Building on the state Security Controls Standards Catalog, this defines specific cybersecurity and information handling controls applicable to all System members, ensuring consistent implementation of security practices.

These regulations and controls serve as the immediate framework guiding Texas A&M University’s own technology policies and operational standards.

Layer 4: Texas A&M University (System Member) Implementation

The Texas A&M University rules, Standard Administrative Procedures (SAPs), and controls catalog ensure compliance with federal, state, and System regulations while addressing unique campus-specific needs and contexts.

• Texas A&M Rules and SAPs: The documents in chapter 29 clearly outline the responsibilities, procedures, and expectations specific to Texas A&M’s faculty, staff, and students.
• Texas A&M Controls Catalog: A localized implementation of the System controls catalog, tailored specifically for the Texas A&M campus environment and systems.

Through these policies and rules, Texas A&M ensures local compliance while providing clarity, resources, and support to university constituents.

Everyone at Texas A&M is impacted by our IT policies: faculty, staff, students, and visitors. They influence how you can use technology resources, handle university information, and respond to cybersecurity incidents. Compliance isn’t just about rules; it’s about contributing to a secure, efficient, and trustworthy digital environment.

IT policies also outline expectations for technology usage and detail what actions to take if something goes wrong. They can help you understand why specific security measures—such as encryption, multi-factor authentication, and secure network use—are mandatory at Texas A&M.

To make navigating IT policy easier, Texas A&M offers extensive resources, guidelines, and educational opportunities:

• Controls Catalog: Clearly defines the specific security controls implemented at Texas A&M, explaining their purpose and the role you play in compliance.
• Policy Guides: Accessible explanations of critical policy areas, like data classification, device security, cloud computing, remote work, and international travel.
• Education and Outreach: Regular training sessions and resources designed to simplify policy understanding and implementation.

Additionally, our IT Policy office is always available to answer your questions, provide guidance, and assist you in navigating any policy-related challenges.