PL-1: Planning – Policy and Procedures

NIST Baseline:  Low 

Privacy Baseline:  Yes 

DIR Required By:  07/20/2023 

Review Date:  07/31/2024 

Purpose –  

The Planning Policy and associated controls describe the requirements for documenting security and privacy plans and rules of behavior for information resource users.  

Scope and Roles – 

This policy applies to information resources owned or managed by Tarleton. The intended audience includes the Tarleton Chief Information Officer (CIO), Chief Information Security Officer (CISO), and information resource owners and custodians. 

Compliance –  

Security Planning controls are implemented to ensure compliance with Title 1 Texas Administrative Code (TAC) §202.73(a), and Texas Government Code §2054.133, the Texas Department of Information Resources (DIR) Security Control Standards Catalog as required by Title 1 Texas Administrative Code §202.76, and Texas A&M University System Regulation 29.01.03, Information Security

Implementation –  

  • The Tarleton CISO, in coordination with information resource owners and custodians, shall develop, document, and disseminate a policy and set of controls that addresses the Planning Policy for information resources. These controls and policy should: 
    • Address purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 
    • Be consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. 
  • Information resource owners and custodians are responsible for any procedures to facilitate the implementation of the Planning Policy and associated controls in order to ensure proper security and privacy planning;    
  • The Tarleton CISO, or their designee, shall review and update the Planning Policy and associated controls as necessary. 
  • Tarleton’s CISO shall report annually on the Tarleton information security program to Tarleton’s CEO/President in compliance with 1 TAC §202.73(a) on the adequacy and effectiveness of information security policies, procedures, and compliance with TAC Chapter 202 based on the: 
    • Effectiveness of the current information security program and status of key initiatives; 
    • Residual risks identified by the university risk management process; and 
    • Tarleton security requirements and requests. 

References/Additional Resources

1 TAC § 202.23(a)  

1 TAC § 202.73(a)   

1 TAC § 202.24 (a)(2)  

1 TAC § 202.74 (a)(2)