Information Security Program

Texas Administrative Code 202.74 establishes the requirement and content for an Information Security Program at all Texas public Institutions of Higher Education. This program is the collection of actions, procedures, and guidelines to be followed by all members of the Texas A&M community, with respect to information security, consistent with the policies of the university, the security of the university's IT assets, and the safety of the university community. The Information Security Program is responsive to the elements described in TAC 202.74.

IT Risk Management and Ensuring Compliance to the TAC 202 Security Control Standards Catalog

Texas A&M University is standardizing risk assessment methodology with Texas Department of Information Resources.  All units controlling information resources must complete an annual risk assessment within an approved risk assessment tool to measure, document, and verify compliance to the TAC 202 Security Control Standards Catalog.

Risk Management & Policy ensures compliance through the risk assessment review process.  Findings from annual risk assessment reviews may influence the Texas A&M University IT Risk Management Plan where university-level mitigations are enacted.

For more information, please refer to Risk Assessment Reporting and Reviews.

IT Policy Alignment to TAC 202

Texas A&M University is in the process of aligning IT policies to the TAC 202 Security Control Standards Catalog.  The DIR Control Families Crosswalk details the current alignment of university rules and SAPs to Texas Department of Information Resources control families.

When creating or modifying IT policy within Series 29 of the TAMU Rules and SAPs, measures to reduce IT risk are incorporated by design, and these measures are verified to be cost effective by IT policy review governance.   

Currently, nine university rules and SAPs address information security for networks, facilities, and systems.  These SAPs, however, are primarily based on regulatory mandates and not specifically on risk.  There is no active process for addressing policy deficiencies. The creation or modification of policies is determined based on emergent need or mandatory review dates.    

Exclusions from IT Policy Requirements

Requests for exclusions from IT policy requirements may be submitted to the Chief Information Security Officer.  All approved exclusions must be renewed annually.  The process for requesting, justifying, granting, and documenting exclusions to policy can be found in TAMU SAP 29.01.03.M1.27 Exclusions from Required Risk Mitigation Measures.

Strategies for High-Impact Information Resources

TAC 202.1 defines High Impact Information Resources as Information Resources whose loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.

As a part of the Continuity of Operations Planning (COOP) function of Risk Management and Policy (RMP), RMP staff will develop processes for identifying and securing High-Impact Information Resources within the university.

Data Classifications

The Texas A&M University System Data Classification Standard defines, with the exception of the State of Texas’s definition of Confidential data, data classifications for TAMU System members including Texas A&M University.  An information resource must be protected - and thereby assessed for risk and compliance - to the highest data classification applicable to the data stored, processed, or transmitted by it.

Security Life Cycle for Information Systems

Maintaining the security posture of an information resource throughout its lifecycle helps to reduce unnecessary risk to the data stored, processed, or transmitted by it.  Information systems should have a defined security life cycle that is incorporated into the framework of the information system life cycle from conception to disposition. This includes any development, programming, configuration, or operational changes and modifications that occur throughout the life of the information system. Although complex information systems may have different security measures at the different subsystems, components, or layers, they should be combined in a complementary manner to provide a comprehensive defense-in-depth security framework and life cycle.

Security Control SA-3 System Development Lifecycle addresses this policy in detail.

Information Security Awareness

All Texas A&M University employees are required to complete the Information Security Awareness Training annually.  The content for this training is developed by Risk Management & Policy and hosted by Employee Organizational Development.

The Division of IT utilizes social media and other platforms to deliver a relevant information security campaign to students.

Questions? Comments?

Please send feedback and questions to the Division of Information Technology at