New Release of System Policy 29.02

The new System Policy 29.02, Information Security, was released today. This release:

• Establishes cybersecurity as an enterprise governance function led by the System Chief Information Security Officer, separate from traditional IT oversight.
• Formalizes a systemwide information security program aligned with Texas law and recognized frameworks (Texas Cybersecurity Framework and NIST RMF).
• Designates the System Office of Cybersecurity as the central authority for security governance, standards, and oversight across members.
• Implements a structured governance stack — regulations, information security control matrices, standards, and guidelines — to enforce requirements and manage risk consistently.
• Signals a shift toward enterprise architecture and common controls, with an expectation to reduce legacy technology and pursue integrated solutions.
• Reinforces a risk-based model focused on business purpose, not individual IT assets.
• Clarifies a shared-responsibility structure: centralized oversight with delegated execution by system members.
• Separates domains: 29.01 retains IT governance under the SCIO, while 29.02 consolidates security authority and program management.

The policy is available at https://policies.tamus.edu/29-02.pdf.