IT Policy

Why must IT staff follow the requirements in the newly-created Texas A&M Information Security Controls Catalog?

In 2015, the Texas Department of Information Resources (DIR) revised Texas Administrative Code Chapter 202, Information Security Standards. The new rule includes provisions in TAC §202.76 that mandates the standards to be used by all institutions of higher education to provide levels of information security according to risk levels. In 2016, DIR released a revised version of the Security Controls Standard Catalog.

How did DIR develop its Security Controls Standard Catalog?

As part of a formal review of TAC 202, DIR researched a number of security policies and standards before determining the use of security controls would provide state agencies and higher education institutions specific guidance for implementing security controls in a format that easily aligns with the National Institute of Standards and Technology Special Publication 800-53 Version 4 (NIST SP 800-53 Rev. 4).

How can my unit be excluded from a required security control?

The information resource owner or designee is responsible for ensuring the protection measures in the Security Control Catalog are implemented. Based on risk management considerations and business functions, the resource owner may request to exclude certain protection measures provided in a control. All exclusions must be in accordance with the procedure below.

Email ra@tamu.edu to obtain the exclusion request form. Once submitted and processed by the office of the CISO, an opinion for approval or denial will be submitted back to the requestor.

Why does the University’s Information Security Risk Assessment Procedures include reference to security controls not found in the Texas A&M University Security Controls?

DIR has introduced a new tool to support state agencies and institutions of higher education in conducting state-mandated security risk assessments. The tool introduced by DIR includes NIST SP 800-53, Rev. 4 Security Controls as a baseline reference for questions rather than DIR Security Controls Standard.

IT Risk Management

Why do I have to complete a risk assessment?

All administrators must ensure that risk assessments are performed on all information resources they manage. More information about the requirements can be found here.

Where can I find help on answering risk assessment questions?

Texas A&M IT Risk Management provides a guidance tool to assist with the interpretation of questions as well as comments and examples.

When do I enter findings into SPECTRIM?

Findings are not generated until the assessments go through the approval process. After the Security Office approves the assessment, the assessor will be able to go back into the assessment and respond to the generated findings. The “Findings” section is a collapsed section under the “Quantitative Summary” section within an assessment.

How do I enter findings into SPECTRIM?

The assessment must go through the approval process before any findings can be entered into SPECTRIM. Once approved, the assessor will be able to go back into the assessment and respond to the findings. The “Findings” section is a collapsed section under the “Quantitative Summary” section within an assessment. Click on the “Finding ID.” If the inherent score is 100.00, you will not have any findings.

What is the approval process for a dean or VP?

The approval process can be found here.

What is SPECTRIM?

Statewide Portal for Enterprise Cybersecurity Threat, Risk, and Incident Management (SPECTRIM) is the new, web- based tool that Texas A&M University will use for annual Information Technology (IT) risk assessments as of FY 2016. It is provided by the Texas Department of Information Resources (DIR). DIR bought an instance of RSA’s Archer and branded it as SPECTRIM.Texas A&M IT retired the old tool, ISAAC, following the end of the FY 2015 risk assessment process.

More information about the requirements can be found here.

Who maintains and manages SPECTRIM?

The Texas Department of Information Resources (DIR) bought an instance of RSA’s Archer and branded it as SPECTRIM. DIR manages SPECTRIM with assistance from RSA.

How do I get a SPECTRIM account?

Complete the appropriate prerequisites for your role. After you have completed the prerequisites, email ra@tamu.edu and Texas A&M IT will submit a ticket for account creation within SPECTRIM on your behalf.

What do I do if my SPECTRIM login credentials not work?

There are multiple reasons why you may not be able to log in to SPECTRIM.

  1. Account has been locked due to inactivity. Accounts are automatically locked after 60 days of inactivity.
  2. You may not be using the right credentials. Please ensure your username (email address - specific address you provided to Texas A&M IT when your account was created), the instance (20224), and your password are correct.

Email ra@tamu.edu if you need assistance with your SPECTRIM credentials.