Skip to main content

Information Security Controls Matrix

The information security controls matrix identifies security controls required by the State of Texas or Texas A&M University System and assigns responsibility for implementing the control to one of the following:

(Common) controls are implemented at the Texas A&M System level and are inheritable by each member institution;

(Hybrid) controls are a shared responsibility between the Texas A&M System and each member institution;

(Org) controls are implemented by each member at the institution level and inherited by all information systems;

(Info Sys) controls are the responsibility of each information resource owner under the direction of the member information security officer.

The Provider column indicates the common control provider for Common and Hybrid controls, and the scope of the common control.

ControlCommonHybridOrgInfo SysProvider
AC — Access Control
AC-01Policy and ProceduresX
AC-02Account ManagementX
AC-02(03)Disable AccountsX
AC-02(07)Privileged User AccountsX
AC-03Access EnforcementX
AC-03(07)Role-based Access ControlX
AC-05Separation of DutiesX
AC-06Least PrivilegeX
AC-07Unsuccessful Logon AttemptsX
AC-08System Use NotificationX
AC-11Device LockX
AC-14Permitted Actions Without Identification or AuthenticationX
AC-17Remote AccessX
AC-18Wireless AccessX
AC-19Access Control for Mobile DevicesX
AC-20Use of External SystemsX
AC-22Publicly Accessible ContentX
AT — Awareness and Training
AT-01Policy and ProceduresX
AT-02Literacy Training and AwarenessXTAMUS Cybersecurity
AT-02(02)Insider ThreatXTAMUS Cybersecurity
AT-02(03)Social Engineering and MiningXTAMUS Cybersecurity
AT-03Role-based TrainingX
AT-04Training RecordsXTrainTraq (for literacy training records)
AU — Audit and Accountability
AU-01Policy and ProceduresX
AU-02Event LoggingX
AU-03Content of Audit RecordsX
AU-04Audit Log Storage CapacityX
AU-05Response to Audit Logging Process FailuresX
AU-06Audit Record Review, Analysis, and ReportingX
AU-08Time StampsX
AU-09Protection of Audit InformationX
AU-11Audit Record RetentionX
AU-12Audit Record GenerationX
CA — Assessment, Authorization, and Monitoring
CA-01Policy and ProceduresX
CA-02Control AssessmentsX
CA-02(01)Independent AssessorsX
CA-03Information ExchangeX
CA-05Plan of Action and MilestonesX
CA-06AuthorizationX
CA-07Continuous MonitoringX
CA-07(04)Risk MonitoringX
CA-08Penetration TestingX
CA-09Internal System ConnectionsX
CM — Configuration Management
CM-01Policy and ProceduresX
CM-02Baseline ConfigurationX
CM-03Configuration Change ControlX
CM-03(02)Testing, Validation, and Documentation of ChangesX
CM-04Impact AnalysesX
CM-05Access Restrictions for ChangeX
CM-06Configuration SettingsX
CM-07Least FunctionalityX
CM-08System Component InventoryX
CM-10Software Usage RestrictionsX
CM-11User-installed SoftwareX
CP — Contingency Planning
CP-01Policy and ProceduresX
CP-02Contingency PlanX
CP-02(01)Coordinate with Related PlansX
CP-03Contingency TrainingX
CP-04Contingency Plan TestingX
CP-04(01)Coordinate with Related PlansX
CP-06Alternate Storage SiteX
CP-07Alternate Processing SiteX
CP-08Telecommunications ServicesX
CP-09System BackupX
CP-09(02)Test Restoration Using SamplingX
CP-09(03)Separate Storage for Critical InformationX
CP-10System Recovery and ReconstitutionX
CP-11Alternate Communications ProtocolsX
IA — Identification and Authentication
IA-01Policy and ProceduresX
IA-02Identification and Authentication (Organizational Users)X
IA-02(01)Multi-factor Authentication to Privileged AccountsX
IA-02(02)Multi-factor Authentication to Non-privileged AccountsX
IA-04Identifier ManagementX
IA-05Authenticator ManagementX
IA-05(01)Password-based AuthenticationX
IA-05(09)Federated Credential ManagementX
IA-06Authentication FeedbackX
IA-07Cryptographic Module AuthenticationX
IA-08Identification and Authentication (Non-organizational Users)X
IA-11Re-authenticationX
IA-12Identity ProofingX
IA-12(02)Identity EvidenceX
IA-12(03)Identity Evidence Validation and VerificationX
IR — Incident Response
IR-01Policy and ProceduresX
IR-02Incident Response TrainingX
IR-03Incident Response TestingX
IR-04Incident HandlingXTAMUS Cybersecurity
IR-04(08)Correlation with External OrganizationsX
IR-04(14)Security Operations CenterXTAMUS Cybersecurity
IR-05Incident MonitoringXTAMUS Cybersecurity (for incidents managed by TAMUS Cyber Operations)
IR-06Incident ReportingX
IR-06(01)Automated ReportingX
IR-07Incident Response AssistanceX
IR-08Incident Response PlanX
IR-09Information Spillage ResponseX
MA — Maintenance
MA-01Policy and ProceduresX
MA-02Controlled MaintenanceX
MA-04Nonlocal MaintenanceX
MA-05Maintenance PersonnelX
MP — Media Protection
MP-01Policy and ProceduresX
MP-02Media AccessX
MP-03Media MarkingX
MP-06Media SanitizationX
MP-06(01)Review, Approve, Track, Document, and VerifyX
MP-07Media UseX
PE — Physical and Environmental Protection
PE-01Policy and ProceduresX
PE-02Physical Access AuthorizationsX
PE-03Physical Access ControlX
PE-06Monitoring Physical AccessX
PE-06(03)Video SurveillanceX
PE-08Visitor Access RecordsX
PE-12Emergency LightingX
PE-13Fire ProtectionX
PE-14Environmental ControlsX
PE-15Water Damage ProtectionX
PE-16Delivery and RemovalX
PE-17Alternate Work SiteX
PE-18Location of System ComponentsX
PL — Planning
PL-01Policy and ProceduresX
PL-02System Security and Privacy PlansX
PL-04Rules of BehaviorX
PL-04(01)Social Media and External Site/Application Usage RestrictionsX
PL-10Baseline SelectionX
PL-11Baseline TailoringX
PM — Program Management
PM-01Information Security Program PlanX
PM-02Information Security Program Leadership RoleX
PM-03Information Security and Privacy ResourcesX
PM-04Plan of Action and Milestones ProcessX
PM-05System InventoryX
PM-05(01)Inventory of Personally Identifiable InformationX
PM-06Measures of PerformanceX
PM-07Enterprise ArchitectureX
PM-09Risk Management StrategyX
PM-10Authorization ProcessX
PM-11Mission and Business Process DefinitionX
PM-14Testing, Training, and MonitoringX
PM-15Security and Privacy Groups and AssociationsXTAMUS Cybersecurity
PM-16Threat Awareness ProgramX
PM-22Personally Identifiable Information Quality ManagementX
PS — Personnel Security
PS-01Policy and ProceduresX
PS-02Position Risk DesignationXTAMUS and Member Human Resources
PS-03Personnel ScreeningXTAMUS and Member Human Resources
PS-04Personnel TerminationX
PS-05Personnel TransferX
PS-06Access AgreementsX
PS-07External Personnel SecurityX
PS-08Personnel SanctionsX
PS-09Position DescriptionsXTAMUS and Member Human Resources
RA — Risk Assessment
RA-01Policy and ProceduresX
RA-02Security CategorizationX
RA-03Risk AssessmentX
RA-03(01)Supply Chain Risk AssessmentX
RA-05Vulnerability Monitoring and ScanningX
RA-05(02)Update Vulnerabilities to Be ScannedX
RA-05(11)Public Disclosure ProgramX
RA-07Risk ResponseX
SA — System and Services Acquisition
SA-01Policy and ProceduresX
SA-02Allocation of ResourcesX
SA-03System Development Life CycleX
SA-04Acquisition ProcessX
SA-05System DocumentationX
SA-08Security and Privacy Engineering PrinciplesX
SA-09External System ServicesX
SA-10Developer Configuration ManagementX
SA-11Developer Testing and EvaluationX
SA-22Unsupported System ComponentsX
SC — System and Communications Protection
SC-01Policy and ProceduresX
SC-05Denial-of-service ProtectionX
SC-07Boundary ProtectionX
SC-07(11)Restrict Incoming Communications TrafficX
SC-08Transmission Confidentiality and IntegrityX
SC-12Cryptographic Key Establishment and ManagementX
SC-13Cryptographic ProtectionX
SC-15Collaborative Computing Devices and ApplicationsX
SC-20Secure Name/Address Resolution Service (Authoritative Source)X
SC-21Secure Name/Address Resolution Service (Recursive or Caching Resolver)X
SC-22Architecture and Provisioning for Name/Address Resolution ServiceX
SC-39Process IsolationX
SI — System and Information Integrity
SI-01Policy and ProceduresX
SI-02Flaw RemediationX
SI-03Malicious Code ProtectionX
SI-04System MonitoringXTAMUS Cybersecurity (for managed endpoints)
SI-05Security Alerts, Advisories, and DirectivesX
SI-08Spam ProtectionX
SI-10Information Input ValidationX
SI-12Information Management and RetentionX
SI-12(01)Limit Personally Identifiable Information ElementsX
SR — Supply Chain Risk Management
SR-01Policy and ProceduresX
SR-02Supply Chain Risk Management PlanX
SR-03Supply Chain Controls and ProcessesX
SR-05Acquisition Strategies, Tools, and MethodsX
SR-08Notification AgreementsX
SR-12Component DisposalX