Tarleton State University

Information Security Controls Catalog

Search the Catalog

Search for controls by Title, Group, or Number.

Control Catalog Families

Access Control (AC)

Awareness and Training (AT)

Audit and Accountability (AU)

Assessment, Authorization, and Monitoring (CA)

Configuration Management (CM)

Contingency Planning (CP)

Identification and Authentication (IA)

Incident Response (IR)

Maintenance (MA)

Media Protection (MP)

Planning (PL)

Program Management (PM)

Personnel Security (PS)

Personally Identifiable Information Processing and Transparency (PT)

Risk Assessment (RA)

System and Service Acquisition (SA)

System and Communication Protection (SC)

System and Information Integrity (SI)

Supply Chain Risk Management (SR)

Purpose of the Catalog

The Tarleton State University (Tarleton) Security Controls Catalog establishes the minimum standards and controls for university information security in accordance with Title 1, Texas Administrative Code (TAC 202), Information Security Standards for Institutions of Higher Education.

The purpose of this Controls Catalog is to provide Tarleton information resource owners, custodians, and other users with specific guidance for implementing security controls conforming to security control standards currently required in the most current version of the Texas Department of Information Resources (DIR) Security Control Standards Catalog and the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 security controls. It is at Tarleton’s discretion to go above and beyond any of the minimum, required baselines established for information security controls by NIST, DIR, TAC 202, or Texas A&M University System (TAMUS). Those discretionary and/or additional security controls are also included in this catalog where Tarleton has deemed that an elevated security posture is required to mitigate risks.

Each control group is organized under its two-letter group identification code and title, thus adopting the numbering format of the DIR Security Control Standards Catalog and NIST SP 800-53. Each control includes the following formatting and/or information:

[Control ID Number] [Control Name]

NIST Baseline: [Low/Moderate/High] This is the NIST baseline associated with the respective control: there are three control baselines (one for each system impact level – low-impact, moderate-impact, and high-impact). This is an informational field only. The DIR Security Control Standards Catalog does not contain distinct baselines. As such, agencies should determine whether additional controls or control baselines are appropriate for a given information system.

Privacy Baseline: [Yes, if applicable] This is the NIST privacy baseline associated with the respective control and is provided, if applicable (i.e. identified by NIST as “Yes”) irrespective of impact level. The privacy control baseline supports federal agencies in addressing privacy requirements and managing privacy risks that arise from processing personally identifiable information (PII) based on privacy program responsibilities under OMB Circular A-130. Tarleton has noted these in the catalog as an informational field only.

DIR Required By: [Date required by DIR, if applicable]

TAMUS Required By: [Date required by Texas A&M University System (TAMUS), if applicable]

[If the specific control is not required by DIR or TAMUS, a statement regarding the control being per Tarleton’s discretion for additional security measures will be included here]

Review Date: [Date of last review]

[Language of the control requirement and applicability for Tarleton]

References/Additional Resources: Any applicable resources and/or regulatory requirement references will be included in this section, as applicable.

Definitions

Below are the terms used frequently in these standards. Additional definitions can be found in:

Information Resource / Information System

Information Resources Manager (IRM)

Information Resource Owner

Information Resource Custodian

High Impact Information / Information Resources

Moderate Impact Information / Information Resources

Low Impact Information / Information Resources

Publication Requirement

Tarleton maintains a Security Controls Catalog in accordance with TAC §202.76, which requires publication of mandatory and minimum required security controls for institutions of higher education.

Exceptions to the Catalog

Information resource owners are responsible for ensuring that the protective measures in the Security Controls Catalog are implemented. Information resource owners may request to exclude certain protection measures mandated by a control in favor of an alternate mitigation based on risk management considerations and business functions. Any exceptions to the information security controls in this catalog must be approved and documented.

Contact the Tarleton Chief Information Security Officer (CISO) or the Tarleton Office of Innovative Technology Solutions (OITS) – Security Team to request an exception to a security control. Once processed and reviewed by the CISO and the OITS – Security Team, an opinion for approval or denial will be returned to the requestor.