Information Security Controls Catalog
Overview
The Information Security Controls Catalog establishes the minimum standards and controls for university information security in accordance with the state's Information Security Standards for Institutions of Higher Education found in Title 1, Chapter 202, Texas Administrative Code (TAC 202). The purpose of this Control Catalog is to provide West Texas A&M University information owners and users with specific guidance for implementing security controls conforming to security control standards currently required in the Texas Department of Information Resources (DIR) Security Control Standards Catalog, Version 2.1. The Texas A&M University System has chosen to implement additional controls from the Catalog, found here, based on risk decisions. Both sets of the controls are included in WTAMU implementation below. Each control group is organized under its two-letter group identification code and title, and adopts the numbering format of the DIR Security Control Standards Catalog.
Exclusions
The information resource owner or designee (e.g., custodian, user) is responsible for ensuring that the protection measures in the Security Control Catalog are implemented. Based on risk management considerations and business functions, the resource owner may request to exclude certain protection measures provided in a Control. All exclusions must be in accordance with the procedures highlighted in the Information Security Controls Exclusion Process.
Access Controls
- AC-1 Access Control Policy and Procedures
- AC-2 Account Management
- AC-2(3) Disable Accounts
- AC-2(7) Privledged User Accounts
- AC-3 Access Enforcement
- AC-3(7) Role-based Access Control
- AC-5 Separation of Duties
- AC-6 Least Privilege
- AC-7 Unsuccessful Logon Attempts
- AC-8 System Use Notification
- AC-11 Device Lock
- AC-14 Permitted Actions without Identification or Authentication
- AC-17 Remote Access
- AC-18 Wireless Access
- AC-19 Access Control for Mobile Devices
- AC-20 Use of External Systems
- AC-22 Publicly Accessible Content
Awareness and Training Controls
- AT-1 Awareness and Training Policy and Procedures
- AT-2 Awareness Training
- AT-2(2) Insider Threat
- AT-2(3) Social Engineering and Mining
- AT-3 Role Based Training
- AT-4 Training Records
Accountability Audit and Risk Management Controls
- AU-1 Accountability Audit and Risk Management Policy and Procedures
- AU-2 Event Logging
- AU-3 Content of Audit Records
- AU-4 Audit Log Storage Capacity
- AU-5 Response to Audit Process Failures
- AU-6 Audit Record Review, Analysis, and Reporting
- AU-8 Time Stamps
- AU-9 Protection of Audit Information
- AU-11 Audit Record Retention
- AU-12 Audit Record Generation
Security Assessment and Authorization Controls
- CA-1 Security Assessment Authorization Policy and Procedures
- CA-2 Control Assessments
- CA-2(1) Independent Assessments
- CA-3 Information Exchange
- CA-5 Plan of Action and Milestones
- CA-6 Authorization
- CA-7 Continuous Monitoring
- CA-7(4) Continuous Monitoring | Risk Monitoring
- CA-8 Penetration Testing
- CA-9 Internal System Connections
Configuration Management Controls
- CM-1 Configuration Management Policy and Procedures
- CM-2 Baseline Configuration
- CM-3 Configuration Change Control
- CM-3(2) Testing, Validation and Documentation of Changes
- CM-4 Impact Analyses
- CM-5 Access Restrictions for Change
- CM-6 Configuration Settings
- CM-7 Least Functionality
- CM-8 System Component Inventory
- CM-10 Software Usage Restrictions
- CM-11 User Installed Software
Contingency Planning Controls
- CP-1 Contingency Planning Policy and Procedures
- CP-2 Contingency Plan
- CP-2(1) Coordinate with Related Plans
- CP-3 Contingency Training
- CP-4 Contingency Plan Testing
- CP-4(1) Coordinate with Related Plans (Testing)
- CP-6 Alternate Storage Site
- CP-8 Telecommunications Services
- CP-9 System Backup
- CP-9(3) Separate Storage for Critical Information
- CP-10 System Recovery and Reconstitution
- CP-11 Alternate Communications Protocols
Identification and Authentication Controls
- IA-1 Identification and Authentication Policy and Procedures
- IA-2 Identification and Authentication (Organizational Users)
- IA-2(1) Multifactor Authentication to Privileged Accounts
- IA-2(2) Multifactor Authentication to Non-Privileged Accounts
- IA-4 Identifier Management
- IA-5 Authenticator Management
- IA-5(1) Password-based Authentication
- IA-6 Authenticator Feedback
- IA-7 Cryptographic Module Authentication
- IA-8 Identification and Authentication (Non-Organizational Users)
- IA-11 Re-Authentication
- IA-12 Identity Proofing
- IA-12(2) Identity Evidence
- IA-12(3) Identity Evidence Validation and Verification
Incident Response Controls
- IR-1 Incident Response Policy and Procedures
- IR-2 Incident Response Training
- IR-3 Incident Response Testing
- IR-4 Incident Handling
- IR-4(8) Correlation with External Organizations
- IR-4(14) Security Operations Center
- IR-5 Incident Monitoring
- IR-6 Incident Reporting
- IR-6(1) Automated Reporting
- IR-7 Incident Response Assistance
- IR-8 Incident Response Plan
- IR-9 Information Spillage Response
Maintenance Controls
- MA-1 Maintenance Policy and Procedures
- MA-2 Controlled Maintenance
- MA-4 Non-local Maintenance
- MA-5 Maintenance Personnel
Media Protection Controls
Physical and Environmental Protection Controls
- PE-1 Physical and Environmental Protection Policy and Procedures
- PE-2 Physical Access Authorizations
- PE-3 Physical Access Control
- PE-6 Monitoring Physical Access
- PE-6(3) Video Surveillance
- PE-8 Visitor Access Records
- PE-12 Emergency Lighting
- PE-13 Fire Protection
- PE-14 Environmental Controls
- PE-15 Water Damage Protection
- PE-16 Delivery and Removal
- PE-17 Alternate Work Site
- PE-18 Location of System Components
Planning Controls
Program Management Controls
- PM-1 Information Security Program Plan
- PM-2 Information Security Program Leadership Role
- PM-3 Information Security and Privacy Resources
- PM-4 Plan of Action and Milestones Process
- PM-5 System Inventory
- PM-6 Measures of Performance
- PM-7 Enterprise Architecture
- PM-9 Risk Management Strategy
- PM-10 Authorization Process
- PM-14 Testing, Training, and Monitoring
- PM-15 Security and Privacy Groups and Associations
- PM-16 Threat Awareness Program
Personnel Security Controls
- PS-1 Personnel Security Policy and Procedures
- PS-2 Position Risk Designation
- PS-3 Personnel Screening
- PS-4 Personnel Termination
- PS-5 Personnel Transfer
- PS-6 Access Agreements
- PS-7 External Personnel Security
- PS-8 Personnel Sanctions
- PS-9 Position Descriptions
Risk Assessment Controls
- RA-1 Risk Assessment Policy and Procedures
- RA-2 Security Categorization
- RA-3 Risk Assessment
- RA-3(1) Supply Chain Risk Assessment
- RA-5 Vulnerability Monitoring and Scanning
- RA-5(2) Update Vulnerabilities to Be Scanned
- RA-5(11) Public Disclosure Program
- RA-7 Risk Response
System and Services Acquisition Controls
- SA-1 System and Services Acquisition Policy and Procedures
- SA-2 Allocation of Resources
- SA-3 System Development Life Cycle
- SA-4 Acquisition Process
- SA-5 System Documentation
- SA-8 Security and Privacy Engineering Principles
- SA-9 External System Services
- SA-10 Developer Configuration Management
- SA-11 Developer Testing and Evaluation
- SA-22 Unsupported System Components
System and Communication Protection Controls
- SC-1 System and Communications Protection Policy and Procedures
- SC-5 Denial of Service Protection
- SC-7 Boundary Protection
- SC-8 Transmission Confidentiality and Integrity
- SC-12 Cryptographic Key Establishment and Management
- SC-13 Cryptographic Protection
- SC-15 Collaborative Computing Devices and Applications
- SC-20 Secure Name/Address Resolution Service (Authoritative Source)
- SC-21 Secure Name/Address Resolution Service (Recursive or Caching Resolver)
- SC-22 Architecture and Provisioning for Name/Address Resolution Service
- SC-39 Process Isolation
System and Information Integrity Controls
- SI-1 System and Information Integrity Policy and Procedures
- SI-2 Flaw Remediation
- SI-3 Malicious Code Protection
- SI-4 System Monitoring
- SI-5 Security Alerts, Advisories, and Directives
- SI-10 Information Input Validation
- SI-12 Information Handling and Retention
- SI-12(1) Limit personally Identifiable Information Elements
