Skip to main content

Updated Security Control Standards

· 2 min read
Nick McLarty
Nick McLarty
Deputy Chief Information Security Officer

DIR has added seven new security control standards in version 2.2 of their security control standards catalog. These have been incorporated into the A&M System Security Control Standards Catalog, published at https://www.cyber.tamus.edu/catalog/. All controls have a required implementation date of February 28, 2027, and are listed below:

CP-07 Alternate Processing Site
Establishes an alternate processing site for essential mission and business functions when the primary processing capabilities are unavailable.

CP-09(02) Test Restoration Using Sampling
Use a sample of backup information in the restoration of selected high-impact system functions as part of contingency plan testing.

CP-09(03) Separate Storage for Critical Information [This was an existing required TAMUS control]
Store backup copies of critical system software and other security-related information in a separate facility or in a fire rated container that is not collocated with the operational system.

PM-05(01) Inventory of Personally Identifiable Information
Establish, maintain, and update an inventory of all systems, applications, and projects that process personally identifiable information.

PM-11 Mission and Business Process Definition
Define organizational mission and business processes with consideration for information security and privacy and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation; and determine information protection and personally identifiable information processing needs arising from the defined mission and business processes.

PM-22 Personally Identifiable Information Quality Management
Develop and document organization-wide policies and procedures for reviewing for the accuracy, relevance, timeliness, and completeness of personally identifiable information across the information life cycle, and correcting or deleting and disseminating notices of inaccurate or outdated personally identifiable information.

SI-08 Spam Protection
Employ spam protection mechanisms at system entry and exit points to detect and act on unsolicited messages.