Skip to main content

Updated Security Control Standards

· 2 min read
Nick McLarty
Nick McLarty
Deputy Chief Information Security Officer

We released today a series of administrative changes to the security control standards. The majority of these changes moved TAMUS Implementation Statement language into organizationally-defined parameters (ODP) within each control, as well as implementing control standards that reflect existing system policy and assigning an impact baseline for all TAMUS-required controls.

The changes to controls include:

  • AC-02(07): Implementation language moved to AT-03
  • AC-08: Withdrawn TAMUS implementation language
  • AT-02: Added ODP for frequency of training
  • AT-02(02): Implemented insider threat training as part of the system delivered Information Security Awareness (3001) course
  • AT-02(03): Implemented social engineering and mining training as part of the system delivered Information Security Awareness (3001) course
  • AT-03: Implemented language moved from AC-02(07) for privileged user role-based training
  • AT-04: Implemented language to address recordkeeping of training delivered via TrainTraq
  • CA-02: Added ODP for frequency of control assessments
  • CA-02(01): Implemented language from 1 TAC 202
  • CM-06: Eliminated language referring to major information systems, relying solely on high-impact systems
  • CP-04: Moved TAMUS implementation language into ODP
  • IA-02(01): Removed TAMUS implementation statement in lieu of DIR having a higher implementation burden
  • IA-05(09): Moved TAMUS implementation language into ODP
  • IR-04: Added references from 29.01.03 to TAMUS implementation statement
  • IR-04(01): Added ODP for automated incident handling process using TAMUS Cyber provided toolsets
  • IR-04(08): Added ODP with references from 29.01.03
  • IR-04(14): Added references from 29.01.03 to TAMUS implementation statement
  • IR-06: Moved TAMUS implementation language into ODP
  • IR-06(01): Added ODP with references from 29.01.03
  • PL-04: Added ODP for frequency of reviewing rules of behavior
  • PL-10: Implemented language to define the control baseline for A&M System information resources
  • PM-05: Added ODP for frequency of updating inventories of information systems
  • PT-03: Moved to SI-12(01)
  • RA-03: Added ODP with references from 29.01.03
  • RA-05(11): Added ODP to designate TAMUS Cyber Operations as central point of contact for public vulnerability disclosures, inheriting authority from 29.01.03
  • SI-05(01): Added ODP for automated reporting with references from 29.01.03
  • SI-12(01): Implemented control moved from PT-03
  • SR-06: Implemented language designating TAMUS Cyber as provider of supplier assessments and reviews