Texas Administrative Code

As a public university in Texas, Texas A&M University operates under various state laws and regulations. A key component governing our information technology practices is the Texas Administrative Code (TAC), which is the official compilation of all state agency rules in Texas. 

Rules and regulations for information technology and cybersecurity are found in TAC 202. Overseen by the Texas Department of Information Resources (DIR), this chapter establishes the minimum information security standards that all Texas state agencies and public universities must follow. Its primary purpose is to ensure the confidentiality, integrity, and availability of the state's information resources through a consistent and comprehensive security strategy.

TAC 202 assigns the ultimate responsibility for the security of information resources to the president of the university.

State agencies must designate an Information Security Officer (ISO) who has the explicit authority and duty to administer the university's information security program and ensure compliance with TAC 202 requirements. At Texas A&M, this is the Chief Information Security Officer, or CISO (see university Rule 29.01.03.M1).

The head or director of a unit (such as a college dean or division vice-president) is responsible for ensuring that compliance with TAC 202 is maintained for any information resources owned and operated by the unit.

TAC Chapter 202 mandates several key responsibilities and practices for Texas A&M, forming the basis for many of our specific security policies and procedures:

• Annual Risk Assessments
  Sections 71 and 75 of TAC 202 require that a risk assessment be performed and documented by units having ownership or custodial responsibility of information resources. These assessments must be performed at least annually using the Information Security Risk Assessment Procedures (ISRAP) published by the Texas A&M CISO. The Dean or Vice President for the division in which the unit resides must formally approve the results of the information security assessment and any associated risk management plans.
  
  The university is required to conduct and document risk assessments for its information resources at least annually. These assessments help identify vulnerabilities and threats, allowing the university to implement appropriate risk management plans. (This process often involves tools like the Information Security Risk Assessment Procedures, or ISRAP).

• Security Controls Catalog
  Section 76 of TAC 202 requires the adoption of information security controls published by DIR. This means that all security controls found in the Texas A&M Information Security Controls Catalog are mandatory unless otherwise specified. More information about the controls catalog and how it is managed is available here.

• Information Security Program
  Section 74 says that the university must develop, implement, maintain, and periodically review a comprehensive, institution-wide information security program that incorporates these all requirements outlined in TAC 202.

More information and specific procedures are described in Texas A&M University SAP 29.01.03.M0.01 Security of Electronic Information Resources. If you have questions related to TAC 202 or IT policy at Texas A&M, contact it-policy@tamu.edu.