Tarleton State University
Information Security Controls Catalog
Search the Catalog
Search for controls by Title, Group, or Number.
Control Catalog Families
Access Control (AC)
- AC-1: Access Control – Policy and Procedures
- AC-2: Account Management
- AC-2(3): Access Control – Disable Accounts
- AC-2(7): Privileged User Accounts
- AC-3: Access Enforcement
- AC-3(7): Role-based Access Control
- AC-5: Separation of Duties
- AC-6: Least Privilege
- AC-7: Unsuccessful Logon Attempts
- AC-8: System Use Notification
- AC-11: Device Lock
- AC-14: Permitted Actions Without Identification or Authentication
- AC-17: Remote Access
- AC-18: Wireless Access
- AC-19: Access Control for Mobile Devices
- AC-20: Use of External Systems
- AC-22: Publicly Accessible Content
Audit and Accountability (AU)
- AU-1: Audit and Accountability Policy and Procedures
- AU-2: Event Logging
- AU-3: Content of Audit Records
- AU-4: Audit Log Storage Capacity
- AU-5: Response to Audit Logging Process Failures
- AU-6: Audit Record Review, Analysis, and Reporting
- AU-8: Time Stamps
- AU-9: Protection of Audit Information
- AU-11: Audit Record Retention
- AU-12: Audit Record Generation
Assessment, Authorization, and Monitoring (CA)
- CA-1: Assessment, Authorization, And Monitoring – Policies and Procedures
- CA-2: Control Assessments
- CA-3: Information Exchange
- CA-5: Plan Of Action and Milestones
- CA-6: Authorization
- CA-7: Continuous Monitoring
- CA-7(4): Continuous Monitoring – Risk Monitoring
- CA-8: Penetration Testing
- CA-9: Internal System Connections
Configuration Management (CM)
- CM-1: Configuration Management Policy and Procedures
- CM-2: Baseline Configuration
- CM-3: Configuration Change Control
- CM-3(2): Testing, Validation and Documentation of Changes
- CM-4: Impact Analysis
- CM-5: Access Restrictions for Change
- CM-6: Configuration Settings
- CM-7: Least Functionality
- CM-8: System Component Inventory
- CM-10: Software Usage Restrictions
- CM-11: User-Installed Software
Contingency Planning (CP)
- CP-1: Contingency Planning – Policy and Procedures
- CP-2: Contingency Plan
- CP-2(1): Coordinate with Related Plans
- CP-3: Contingency Training
- CP-4: Contingency Plan Testing
- CP-4(1): Coordinate with Related Plans
- CP-6: Alternate Storage Site
- CP-7: Alternate Processing Site
- CP-8: Telecommuncations Services
- CP-9: System Backup
- CP-9(3): Separate Storage for Critical Information
- CP-10: System Recovery and Reconstitution
- CP-11: Alternate Communications Protocols
Identification and Authentication (IA)
- IA-1: Identification and Authentication – Policy and Procedures
- IA-2: Identification and Authentication (Organizational Users)
- IA-2(1): Identification and Authentication (Organizational Users) – Multifactor Authentication to Privileged Accounts
- IA-2(2): Identification and Authentication (Organizational Users) – Multifactor Authentication to Non-Privileged Accounts
- IA-4: Identifier Management
- IA-5: Authenticator Management
- IA-5(1): Authenticator Management – Password Based Authentication
- IA-6: Authenticator Feedback
- IA-7: Cryptographic Module Authentication
- IA-8: Identification and Authentication (Non-Organizational Users)
- IA-11: Re-Authentication
- IA-12: Identity Proofing
- IA-13: Identity Providers and Authorization Servers
Incident Response (IR)
Physical and Environmental Protection (PE)
- PE-1: Physical and Environmental Protection – Policy and Procedures
- PE-2: Physical Access Authorizations
- PE-3: Physical Access Control
- PE-4: Access Control for Transmission
- PE-5: Access Control for Output Devices
- PE-6: Monitoring Physical Access
- PE-6(3): Video Surveillance
- PE-8: Visitor Access Records
- PE-9: Power Equipment and Cabling
- PE-10: Emergency Shutoff
- PE-11: Emergency Power
- PE-12: Emergency Lighting
- PE-13: Fire Protection
- PE-14: Environmental Controls
- PE-15: Water Damage Protection
- PE-16: Delivery and Removal
- PE-17: Alternate Work Site
- PE-18: Location of System Components
- PE-19: Information Leakage
- PE-20: Asset Monitoring and Tracking
- PE-21: Electromagnetic Pulse Protection
- PE-22: Component Marking
Program Management (PM)
- PM-1: Information Security Program Plan
- PM-2: Information Security Program Role
- PM-3: Information Security and Privacy Resources
- PM-4: Plan of Action and Milestones Process
- PM-5: System Inventory
- PM-6: Measures of Performance
- PM-7: Enterprise Architecture
- PM-9: Risk Management Strategy
- PM-10: Authorization Process
- PM-14: Testing, Training, and Monitoring
- PM-15: Security and Privacy Groups and Associations
- PM-16: Threat Awareness Program
Personally Identifiable Information Processing and Transparency (PT)
- PT-1: Personally Identifiable Information Processing and Transparency – Policy and Procedures
- PT-2: Authority to Process Personally Identifiable Information
- PT-3: Personally Identifiable Information Processing Purposes
- PT-4: Consent
- PT-5: Privacy Notice
- PT-6: System of Records Notice
- PT-7: Specific Categories of Personally Identifiable Information
Risk Assessment (RA)
- RA-1: Risk Assessment – Policy and Procedures
- RA-2: Security Categorization
- RA-3: Risk Assessment
- RA-3(1): Risk Assessment – Supply Chain Risk Assessment
- RA-5: Vulnerability Monitoring and Scanning
- RA-5(2): Vulnerability Monitoring and Scanning – Update Vulnerabilities to be Scanned
- RA-5(11): Vulnerability Monitoring and Scanning – Public Disclosure Program
- RA-7: Risk Response
- RA-8: Privacy Impact Assessments
- RA-10: Threat Hunting
System and Service Acquisition (SA)
- SA-1: System and Services Acquisition – Policy and Procedures
- SA-2: Allocation of Resources
- SA-3: System Development Life Cycle
- SA-4: Acquisition Process
- SA-5: System Documentation
- SA-8: Security and Privacy Engineering Principles
- SA-9: External System Services
- SA-10: Developer Configuration Management
- SA-11: Developer Testing and Evaluation
- SA-22: Unsupported System Components
System and Communication Protection (SC)
- SC-1: System and Communications Protection – Policy and Procedures
- SC-5: Denial-of-Service Protection
- SC-7: Boundary Protection
- SC-12: Cryptographic Key Establishment and Management
- SC-8: Transmission Confidentiality and Integrity
- SC-13: Cryptographic Protection
- SC-15: Collaborative Computing Devices and Applications
- SC-20: Secure Name/Address Resolution Service (Authoritative Source)
- SC-21: Secure Name/Address Resolution Service (Recursive or Caching Resolver)
- SC-22: Architecture and Provisioning for Name/Address Resolution Service
- SC-39: Process Isolation
System and Information Integrity (SI)
Purpose of the Catalog
The Tarleton State University (Tarleton) Security Controls Catalog establishes the minimum standards and controls for university information security in accordance with Title 1, Texas Administrative Code (TAC 202), Information Security Standards for Institutions of Higher Education.
The purpose of this Controls Catalog is to provide Tarleton information resource owners, custodians, and other users with specific guidance for implementing security controls conforming to security control standards currently required in the most current version of the Texas Department of Information Resources (DIR) Security Control Standards Catalog and the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 security controls. It is at Tarleton’s discretion to go above and beyond any of the minimum, required baselines established for information security controls by NIST, DIR, TAC 202, or Texas A&M University System (TAMUS). Those discretionary and/or additional security controls are also included in this catalog where Tarleton has deemed that an elevated security posture is required to mitigate risks.
Each control group is organized under its two-letter group identification code and title, thus adopting the numbering format of the DIR Security Control Standards Catalog and NIST SP 800-53. Each control includes the following formatting and/or information:
[Control ID Number] [Control Name]
NIST Baseline: [Low/Moderate/High] This is the NIST baseline associated with the respective control: there are three control baselines (one for each system impact level – low-impact, moderate-impact, and high-impact). This is an informational field only. The DIR Security Control Standards Catalog does not contain distinct baselines. As such, agencies should determine whether additional controls or control baselines are appropriate for a given information system.
Privacy Baseline: [Yes, if applicable] This is the NIST privacy baseline associated with the respective control and is provided, if applicable (i.e. identified by NIST as “Yes”) irrespective of impact level. The privacy control baseline supports federal agencies in addressing privacy requirements and managing privacy risks that arise from processing personally identifiable information (PII) based on privacy program responsibilities under OMB Circular A-130. Tarleton has noted these in the catalog as an informational field only.
DIR Required By: [Date required by DIR, if applicable]
TAMUS Required By: [Date required by Texas A&M University System (TAMUS), if applicable]
[If the specific control is not required by DIR or TAMUS, a statement regarding the control being per Tarleton’s discretion for additional security measures will be included here]
Review Date: [Date of last review]
[Language of the control requirement and applicability for Tarleton]
References/Additional Resources: Any applicable resources and/or regulatory requirement references will be included in this section, as applicable.
Definitions
Below are the terms used frequently in these standards. Additional definitions can be found in:
- Title 1 TAC §202.1, Applicable Terms and Technologies for Information Security Standards
- Texas A&M University System Data Classification Standard
- Glossary | CSRC (nist.gov)
Information Resource / Information System
IT hardware and software systems.
This includes:
- data,
- equipment, facilities, and software, that create, process, store, retrieve, display, or transmit data, and
- any computer-related activities involving any device capable of receiving, storing, managing, or transmitting data.
Examples include: mainframes, servers, network infrastructure, desktop and laptop computers, IP phones, printers, web applications and cloud services.
Information Resources Manager (IRM)
The executive responsible for information resources across the institution as defined in Chapter 2054, Subchapter D, Texas Government Code. This is the Tarleton Chief Information Officer (CIO).
Information Resource Owner
The person legally or operationally responsible and accountable for the data and/or business function supported by an information resource.
- The Owner determines controls and access to information resources supporting that business function.
- Typically, this is a department head and may be the person responsible for the procurement, development, operation, and maintenance of an information resource.
Information Resource Custodian
An individual, department, institution, or third-party service provider responsible for supporting and implementing owner-defined controls to information resources. Custodians include information technology units, staff, vendors, and any third-party acting as an agent of or otherwise on behalf of the Tarleton Office of Innovative Technology Solutions.
High Impact Information / Information Resources
Information and information resources that are essential to the mission and operations of the Texas A&M University System or Tarleton State University (Tarleton).
Loss or disruption to the confidentiality, integrity, or availability of a High Impact Information Resource would result in a severe or catastrophic adverse effect on organization operations, assets, or individuals. Such an event could:
1. Cause a severe degradation in or loss of mission capability to an extent and duration that the organization is not able to perform one or more of its primary functions;
2. Result in major damage to organizational assets;
3. Result in major financial loss; or
4. Result in severe or catastrophic harm to individuals involving loss of life or serious life-threatening injuries.
This term equates to HIGH impact in the Federal Standards for Security Categorization of Federal Information and Information Systems, FIPS 199.
A risk assessment should be completed annually on these types of information systems.
Moderate Impact Information / Information Resources
Information and information resources whose loss of confidentiality, integrity, or availability could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. Such an event could:
1. Cause a significant degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is significantly reduced;
2. Result in significant damage to organizational assets;
3. Result in significant financial loss; or
4. Result in significant harm to individuals that does not involve loss of life or serious life-threatening injuries.
A risk assessment should be completed every two years on these types of information systems.
Low Impact Information / Information Resources
Information and information resources whose loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. Such an event could:
1. Cause a degradation in mission capability to an extent and duration that the organization can perform its primary functions, but the effectiveness of the functions is noticeably reduced;
2. Result in minor damage to organizational assets;
3. Result in minor financial loss; or
4. Result in minor harm to individuals.
A risk assessment should be completed every three years on these types of information systems.
Publication Requirement
Tarleton maintains a Security Controls Catalog in accordance with TAC §202.76, which requires publication of mandatory and minimum required security controls for institutions of higher education.
Exceptions to the Catalog
Information resource owners are responsible for ensuring that the protective measures in the Security Controls Catalog are implemented. Information resource owners may request to exclude certain protection measures mandated by a control in favor of an alternate mitigation based on risk management considerations and business functions. Any exceptions to the information security controls in this catalog must be approved and documented.
Contact the Tarleton Chief Information Security Officer (CISO) or the Tarleton Office of Innovative Technology Solutions (OITS) – Security Team to request an exception to a security control. Once processed and reviewed by the CISO and the OITS – Security Team, an opinion for approval or denial will be returned to the requestor.