IT Policy

Why must IT staff follow the requirements in the newly-created Texas A&M Information Security Controls Catalog?

In 2015, the Texas Department of Information Resources (DIR) revised Texas Administrative Code Chapter 202, Information Security Standards. The new rule includes provisions in TAC §202.76 that mandates the standards to be used by all institutions of higher education to provide levels of information security according to risk levels. In 2016, DIR released a revised version of the Security Controls Standard Catalog.

How did DIR develop its Security Controls Standard Catalog?

As part of a formal review of TAC 202, DIR researched a number of security policies and standards before determining the use of security controls would provide state agencies and higher education institutions specific guidance for implementing security controls in a format that easily aligns with the National Institute of Standards and Technology Special Publication 800-53 Version 4 (NIST SP 800-53 Rev. 4).

How can my unit be excluded from a required security control?

The information resource owner or designee is responsible for ensuring the protection measures in the Security Control Catalog are implemented. Based on risk management considerations and business functions, the resource owner may request to exclude certain protection measures provided in a control. All exclusions must be in accordance with the procedure below.

Email to obtain the exclusion request form. Once submitted and processed by the office of the CISO, an opinion for approval or denial will be submitted back to the requestor.

Why does the University’s Information Security Risk Assessment Procedures include reference to security controls not found in the Texas A&M University Security Controls?

DIR has introduced a new tool to support state agencies and institutions of higher education in conducting state-mandated security risk assessments. The tool introduced by DIR includes NIST SP 800-53, Rev. 4 Security Controls as a baseline reference for questions rather than DIR Security Controls Standard.

IT Risk Management

Why do I have to complete a risk assessment?

All administrators must ensure that risk assessments are performed on all information resources they manage. More information about the requirements can be found here.

Where can I find help on answering risk assessment questions?

The Division of IT provides a guidance tool to assist with the interpretation of questions as well as comments and examples.

When do I enter findings into SPECTRIM?

Findings are not generated until the assessments go through the approval process. After the Security Office approves the assessment, the assessor will be able to go back into the assessment and respond to the generated findings. The “Findings” section is a collapsed section under the “Quantitative Summary” section within an assessment.

How do I enter findings into SPECTRIM?

The assessment must go through the approval process before any findings can be entered into SPECTRIM. Once approved, the assessor will be able to go back into the assessment and respond to the findings. The “Findings” section is a collapsed section under the “Quantitative Summary” section within an assessment. Click on the “Finding ID.” If the inherent score is 100.00, you will not have any findings.

What is the approval process for a dean or VP?

The approval process can be found here.


Statewide Portal for Enterprise Cybersecurity Threat, Risk, and Incident Management (SPECTRIM) is the new, web-based tool that Texas A&M University will use for annual Information Technology (IT) risk assessments as of FY 2016. It is provided by the Texas Department of Information Resources (DIR). DIR bought an instance of RSA’s Archer and branded it as SPECTRIM. The Division of  IT retired the old tool, ISAAC, following the end of the FY 2015 risk assessment process.

More information about the requirements can be found here.

Who maintains and manages SPECTRIM?

The Texas Department of Information Resources (DIR) bought an instance of RSA’s Archer and branded it as SPECTRIM. DIR manages SPECTRIM with assistance from RSA.

How do I get a SPECTRIM account?

Complete the appropriate prerequisites for your role. After you have completed the prerequisites, email and the Division of IT will submit a ticket for account creation within SPECTRIM on your behalf.

What do I do if my SPECTRIM login credentials not work?

There are multiple reasons why you may not be able to log in to SPECTRIM.

  1. Account has been locked due to inactivity. Accounts are automatically locked after 60 days of inactivity.
  2. You may not be using the right credentials. Please ensure your username (email address - specific address you provided to Division of IT when your account was created), the instance (20224), and your password are correct.

Email if you need assistance with your SPECTRIM credentials.

IT Continuity of Operations

Is a Continuity of Operations Plan (COOP) the same thing as an IT Disaster Recovery Plan (DRP)?

A COOP plan addresses the emergencies from an all-hazards approach. Its purpose is to ensure critical business functions can be performed efficiently during emergency relocation. A DRP is primarily a site-specific plan developed with procedures to move operations of one or more information systems from a damaged or uninhabitable location to a temporary alternate location. Once the DRP has successfully transferred an information system site to an alternate site, each affected system would then use its respective information system contingency plan to restore, recover, and test systems and put them into operation.

For more information on COOP planning, see and

Who is responsible for maintaining an Information System Contingency Plan (ISCP)?

An ISCP is maintained by the information resource custodian, who is directly responsible for overseeing the recovery and reconstitution process of the IT service.

At what level of the organization should the unit/department IT Disaster Recovery Plan (DRP) be created?

A unit/department IT DRP should be created at the highest level in the organization as practical (ie college, department or division).

Why is a Business Impact Analysis (BIA) required?

A BIA is required to determine if a unit/department manages mission critical resources. A BIA assess systematically the potential impacts of a loss of business functionality due to an interruption of computing and/or infrastructure support services resulting from various events.

Does the Texas A&M University IT Disaster Recovery Plan (DRP) apply to my organization?

No, each unit/department should maintain a unit/department IT DRP for the IT service(s) it manages. The Texas A&M University IT DRP is limited to the Essential IT Services that support critical infrastructure functions as defined in Annex J (Institutional Continuity Plan).

When is a Cost Benefit Analysis required?

An analysis is only required if the IT service is determined to be an Essential IT Service and the actual Recovery Time Objective (RTO) is not in alignment with the required RTO.

What is the difference between an Essential IT Service and a mission critical information resource?

An IT service can be both mission critical to the department that manages the IT service and essential to the university. In the event that an IT service is designated by the Chief Information Officer (CIO) and the Associate Vice President of the Office of Safety and Security as an Essential IT Service, the IT service must meet the requirements for both mission critical and Essential IT Services.


Who is authorized to submit a request to extract email and other data hosted on Texas A&M Division of Information Technology services?

To prevent accidental exposure of confidential information, only requests submitted by a Public Information Liaison Coordinator (PILC) of a unit for mailboxes belonging to their respective unit are considered valid. Another individual within their unit, such as IT, may submit a request on their behalf, but there must be sufficient documented evidence that the request originated from the PILC. If in doubt, the PILC will be contacted to verify the authenticity of the request.

What is the best method of submitting extraction requests from the Division of IT?

Due to the time sensitivity and legal requirements of fulfilling a PIR, reducing communication

delays is paramount. Please email or contact the Chief Information Security Office at directly. If you have not received direct acknowledgement of the request from a member of the Chief Information Security Office within four business hours, please email

What is a hold?

Depending on context, a preservation hold can either refer to the process of preserving ESI or a technical feature within a software application such as the Microsoft In-Place Hold and Litigation Holds feature of Exchange.

What is AccessData EDiscovery and why am I getting emails from that platform?

AccessData EDiscovery is an enterprise-grade E-Discovery platform utilized by OGC for some of their operations. The bulk of the platform is not accessible outside of OGC personnel.

Communications sent through the platform not only serve as official notification but also may provide links to certain functions of the platform necessary to fulfill a responsibility. These may include acknowledging the hold, completing an E-Discovery questionnaire, or other tasks requiring non-OGC personnel to interact with the platform.

May I delete email if I am on an active hold?

If a mailbox is placed on hold within the email server, all email within that mailbox will be retained on the server independent of a user’s actions. For this reason, a user may delete and clear deleted items from that mailbox, however, the email will persist on the server until the hold has been lifted from that mailbox.

For instances where email is archived and stored outside of the email platform, the email is not protected by the hold features of Microsoft Exchange or Gmail. Please contact the ESI Preservation Coordinator or designee if there are any questions regarding the preservation of email.

How do I login to AccessData EDiscovery?

The functions of the platform requiring interaction from university personnel generally utilize unique links sent via email and a simplified web interface. Access to the platform is at the sole discretion of OGC.