Introduction

All information resources (workstations, laptops, tablets, etc.) are required to be assessed annually, per Texas Administrative Code 202 (TAC 202) and TAMU Rule 29.01.03.M0.01 Procedure 3.

This survey must be completed by individuals who have local administrator accounts on one or more information resources. Depending on configurations, all information resources may be included in one survey.

Section 1 is used to gather information about what is being assessed. The survey starts in Section 2 and consists of 16 questions.

Email address:

Use your university email address.

Section 1: General Information

This section is used to gather information about the information resource(s).

a. Local administrator’s first and last name:

b. Name(s) for the information resource(s):

All information resources on the Texas A&M network have a name.

For Windows operating systems (OS): Control Panel -> System and Security -> System -> look for “Full computer name:” under the “Computer name, domain, and workgroup settings” section

For Apple OS: Apple menu -> System Preferences -> then click Sharing -> then look for “Computer Name”

c. Information resource(s) identification number(s) used by the unit:

TAMU asset number used for/listed in FAMIS/Canopy, department level identification numbers, etc.

Most departments add a service tag label on information resources before distributing to employees that help track it for general inventory management practices. This tag is often easily visible on the information resource.

d. Hardware type(s):

Select each option that applies to the information resource(s).

Answer Choices: Desktop; Laptop or tablet (full desktop operating system); Tablet (Android or iOS); Other:

e. Operating System (OS) family:

Select all applicable operating system families for the information resource(s).

Answer Choices: Windows; Mac OS X/macOS; Linux/Solaris/FreeBSD; Android OS (mobile); IOS (Apple mobile); Other:

f. Quantity:

Provide the number of information resources included in this survey. Enter that number (e.g. 1, 2, 3, etc.)

g. Where is the information resource(s) used?

Select each option that applies to the information resource(s).

Answer Choices: At the university when unit IT support is available; At the university when unit IT support is not available (e.g. weekends and nights); At home; While traveling; Other:

Section 2: Resource Maintenance

This section is the start of the survey and focuses on how the information resource(s) is maintained.

1. Is a system use notification message or banner displayed before granting access to the information resource(s)?

Answer Choices: Yes; No; Managed by unit IT staff

Why is this important?

The banner ensures users acknowledge and are reminded of the computer usage rules defined by the university.

University control(s): System Use Notification (AC-8)

2. Is anti-virus / anti-malware software installed and run (scans performed periodically) on the information resource(s)?

Answer Choices: Yes; No; Managed by unit IT staff

Why is this important?

Malicious code such as viruses, malware, or trojans can:

  • Steal or destroy data such as personal identifiable information, university data, or research
  • Impact computer performance
  • Cause the computer to perform illegal activities

Anti-virus software can deny unwanted entry to the information resource and block attempts to install the malicious code listed above. Regular scanning ensures that if anything slips through, it gets detected and then removed. Most anti-virus software allows you to schedule scans.

University control(s): Malicious Code Protection (SI-3)

3. Are patches and/or updates installed within 90 days of vendor release for software?

Answer Choices: Yes; No; Unknown; Managed by unit IT staff

Why is this important?

Malware compromises systems by exploiting vulnerabilities of unpatched software. By not applying patches and/or updates to your operating system, web browsers, and other applications, you may be vulnerable for malware attacks. Patching your software should become a habit, and the timeframe between when an exploit is discovered and when a patch is released is continually getting shorter.

University control(s): Configuration Management Policy and Procedures (CM-1), Malicious Code Protection (SI-3)

4. Is only authorized and appropriately licensed software installed on the information resource(s)?

Answer Choices: Yes; No; Unknown

Why is this important?

Unauthorized software can contain malicious code embedded in the software that will infect the information resource. Installing software without the proper license, or not following the licensing agreement, is a breach in federal copyright law.

University Control(s): User Installed Software (CM-11)

5. Do you override any unit IT workstation policy settings on the information resource(s)?

Answer Choices: Yes; No

Why is this important?

Overriding a policy set on the information resource may make it susceptible to attack.

University Control(s): Configuration Management Policy and Procedures (CM-1), Malicious Code Protection (SI-3)

Section 3: Data Classification

This section focuses on data classification and Social Security Number (SSN) scanning on the information resource(s).

6. Is confidential data (e.g. SSNs, Family Educational Rights and Privacy Act (FERPA), Protected Health Information (PHI), Personally Identifiable Information (PII), etc.) stored on the information resource(s)?

In general, accessing confidential data via applications (email, shared networked storage, web browser, etc.) does not mean you are storing confidential information on the information resource(s) itself. However, if you make a copy from one of these applications and save locally (e.g. drag-and-drop, save, copy-paste a file, save email, etc.), you are storing confidential data on the information resource(s).

Answer Choices: Yes; No; Unknown

Why is this important?

You should know what data is saved on the information resources you use. Many units have policies against saving confidential data to a computer’s internal hard drive in order to protect the information from loss or disclosure.

University Control(s): Security Categorization (RA-2)

7. Is the information resource(s) scanned for SSNs by using a software tool (e.g. Identity Finder) and/or is whole disk encryption used to protect data stored on the information resource(s)?

Answer Choices: Scan; Whole Disk Encryption; Both – Scan and Whole Disk Encryption; Unit IT often scans; None of the above

Why is this important?

It is important to know if SSNs are stored on information resources because there are specific protection (e.g. encryption, access control) and reporting requirements when storing SSNs. If an information resource is stolen that contains SSN’s, or if an email attachment containing SSNs is sent to an unauthorized individual, this is considered a data breach. Scanning helps determine whether files on an information resource contain SSNs or not.

University Control(s): Security Categorization (RA-2)

Section 4: User Access

This section focuses on user account access, passwords, authentication systems, etc.

8. Does access to the information resource(s) require a unique user ID and password for anyone trying to log in to the information resource(s)?

Answer Choices: Yes; No

Why is this important?

Unique user IDs and passwords help prevent unauthorized users from accessing information resources. Most unauthorized users try to gain access to information resources for illegal or purposes that may include theft or modification of confidential data.

University employees should never share their user account. If the account is assigned to you or created by you, you are accountable if you share it and it is used for inappropriate reasons. Any activity generated by the user account such as accessing files, changing passwords or deleting information, can be traced back to you.

University Control(s): Account Management (AC-2)

9. For standard user accounts, are the password requirements: at least eight characters in length and containing three of the following four groups of characters - lowercase letters, uppercase letters, symbols or numbers?

If your password is at least 16 characters long, you are not required to meet the complexity requirements above.

Answer Choices: Yes; No; Managed by unit IT staff; N/A - 16 characters or more

Why is this important?

The length and complexity of a password makes it harder for someone to crack. Having other security controls in place, such as account lock-out after a number of unsuccessful login attempts, makes it even harder for someone to crack.

University SAP: 29.01.03.M1.14 Information Resources – Password-based Authentication

10. For administrator accounts, are the password requirements: at least 16 characters in length and at least one lowercase letter, one uppercase letter, and one non-alphabetic symbol?

Answer Choices: Yes; No

Why is this important?

Administrator accounts require a longer password due to the nature of the account. An administrator account is a user account that allows you to: change security settings, install software and hardware, and access all files on the computer.

11. Are the login credentials (user ID and password) for your administrator account different than the login credentials for your standard user account?

Answer Choices: Yes; No

Why is this important?

This prevents stolen login credentials from accessing multiple accounts.

University SAP: 29.01.03.M1.14 Information Resources – Password-based Authentication

12. Is multi-factor authentication used for accessing the information resource(s)?

Does the information resource(s) require you to validate via Duo Two-Factor Authentication or a similar product?

Answer Choices: Yes; No

Why is this important?

Multi-factor authentication helps prevent unauthorized users from gaining access to information resources using stolen or compromised login credentials (i.e. user ID, password).

All units are required to use multi-factor authentication when accessing information resources that have access to confidential data. Some units in the university require multi-factor authentication (e.g. Duo) for certain roles, regardless of the type of data the person has access to.

University Control(s): Identification and Authentication (Organizational Users) (IA-2)

TAMUS Policy and Regulation: http://policies.tamus.edu/29-01-03.pdf

13. Do you use your administrator account on information resources that are only assigned to you?

This includes sharing your account information with other people.

Answer Choices: Yes; No

Why is this important?

Most units have policies on local administrator account privileges. In most instances, users with local administrator account privileges should only use those privileges on information resources assigned to them.

University Control(s): Configuration Management Policy and Procedures (CM-1)

14. Is there any software used that requires administrator access to function?

Answer Choices: Yes; No

Why is this important?

You may have software that requires computer administrative privileges to function properly. Newer software avoids this scenario when possible because hackers often use this access to take control of an information resource.

University Control(s): Separation of Duties (AC-5)

15. Is the administrator account only used when needed (to install software or updates) and not used in place of your standard user account?

Answer Choices: Yes; No; No - only have one account, my standard user account was elevated to local administrator

Why is this important?

A local administrator account is a special access account that allows users to make elevated changes to the information resource. It is best practice to only use the administrator account when necessary.

University Control(s): Separation of Duties (AC-5)

16. Do you create additional user accounts on the information resource(s)?

Answer Choices: Yes; No; Managed by unit IT staff

Why is this important?

Most units have policies and procedures regarding user account creation that only allows certain personnel to create user accounts for university information resources. In most instances, users with local administrator account privileges do not have authorization to create additional accounts on university information resources.

University Rule(s): 29.01.03.M2 Rules for Responsible Computing
University Control(s): Account Management (AC-2)