CA-2: Control Assessments
NIST Baseline: Low
Privacy Baseline: Yes
DIR Required By: 07/20/2023
Review Date: 06/26/2024
Texas Administrative Code (TAC) §202.76(c) requires an assessment of the Tarleton State University (Tarleton) security program for compliance with TAC §202 including the security controls required by The Texas Department of Information Resources (DIR).
- The Tarleton Chief Information Security Officer (CISO) or their designee is responsible for developing a control assessment plan that describes the scope of the assessment including:
- Controls under assessment;
- Assessment procedures used to determine the effectiveness of each security control; and
- Assessment environment, team, roles, and responsibilities.
- The security controls assessment will:
- Review the Tarleton security controls and the environment of operation to determine the extent to which the controls are implemented correctly, operating as intended, meeting security requirements and producing the desired outcome;
- Be performed by individual(s) independent of the CISO; and
- Be performed at least biennially (every other year) based on risk management decisions.
- Assessment results will be reported to the Tarleton Chief Information Officer (CIO), CISO, and other executive leadership.
Note: This control is distinct from the information security risk assessments described in Control RA-3, Risk Assessment.