All information resources (workstations, laptops, tablets, servers, etc.) are required to be assessed annually, per Texas Administrative Code 202 (TAC 202) and TAMU Rule 29.01.03.M0.01 Procedure 3.

This survey must be completed by individuals who manage one or more information resources (excluding servers). Depending on configurations, all information resources may be included in one survey.

Section 1 is used to gather information about what is being assessed. The survey starts in Section 2 and consists of 12 questions.

Email address:

Use your university email address.

Section 1: General Information

This section is used to gather information about the information resource(s).

a. Information resource(s) owner first and last name:

b. Name(s) for the information resource(s):

All information resources on the Texas A&M network have a name.

For Windows operating systems (OS): Control Panel -> System and Security -> System -> look for “Full computer name:” under the “Computer name, domain, and workgroup settings” section

For Apple OS: Apple menu -> System Preferences -> then click Sharing -> then look for “Computer Name”

c. Information resource(s) identification number(s) used by the unit:

TAMU asset number used for/listed in FAMIS/Canopy, department level identification numbers, etc.

Most departments add a service tag label on information resources before distributing to employees that help track it for general inventory management practices. This tag is often easily visible on the information resource.

d. Information resource(s) description:

Briefly, tell us a about this information resource(s) and what it is used for. For example: "This workstation is my primary office workstation used for administrative and academic tasks." or "This includes my office workstation, the research cluster, a lab of computers, and my tablet. These resources are used to support my teaching and research."

e. Hardware type(s):

Select each option that applies to the information resource(s).

Answer Choices: Desktop Workstation; Laptop or tablet (full desktop operating system); Tablet (Android or iOS); Other:

f. Operating System (OS) family:

Select all applicable operating system families for the information resource(s).

Answer Choices: Windows; Mac OS X/macOS; Linux/Solaris/FreeBSD; Android OS (mobile); IOS (Apple mobile); Other:

g. Quantity:

Provide the number of information resources included in this survey. Enter that number (e.g. 1, 2, 3, etc.)

h. Number of people with authorized access to the information resource(s):

Enter a number (e.g. 1, 2, 3, etc.)

Section 2: Resource Maintenance

This section is the start of the survey and focuses on how the information resource(s) is maintained.

1. Is a system use notification message or banner displayed before granting access to the information resource(s)?

Answer Choices: Yes; No

Why is this important?

The banner ensures users acknowledge and are reminded of the computer usage rules defined by the university.

University control(s): System Use Notification (AC-8)

2. Is anti-virus / anti-malware software installed and run (scans performed periodically) on the information resource(s)?

Answer Choices: Yes; No; Unknown

Why is this important?

Malicious code such as viruses, malware, or trojans can:

  • Steal or destroy data such as personal identifiable information, university data, or research
  • Impact computer performance
  • Cause the computer to perform illegal activities

Anti-virus software can deny unwanted entry to the information resource and block attempts to install the malicious code listed above. Regular scanning is also important to ensure that anything which slips through gets detected and then removed. Most anti-virus software allows you to schedule scans.

University control(s): Malicious Code Protection (SI-3)

3. Are patches and/or updates installed within 90 days of vendor release for hardware and software?

Answer Choices: Yes; No; Unknown

Why is this important?

Malware compromises systems by exploiting vulnerabilities of unpatched software and hardware. By not applying patches and/or updates to your operating system, web browsers, other applications, and hardware, you may be vulnerable for malware attacks. Patching should become a habit, and the timeframe between when an exploit is discovered and when a patch is released is continually getting shorter.

University control(s): Configuration Management Policy and Procedures (CM-1), Malicious Code Protection (SI-3)

4. Is only authorized and appropriately licensed or open source (e.g. GNU) software installed on the information resource(s)?

Answer Choices: Yes; No; Unknown

Why is this important?

Unauthorized software can contain malicious code embedded in the software that will infect the information resource. Installing software without the proper license, or not following the licensing agreement, is a breach in federal copyright law.

University Control(s): User Installed Software (CM-11)

Section 3: Data Classification

This section focuses on data classification and Social Security Number (SSN) scanning on the information resource(s).

5. Is confidential data (e.g. SSNs, Family Educational Rights and Privacy Act (FERPA), Protected Health Information (PHI), Personally Identifiable Information (PII), etc.) stored on the information resource(s)?

In general, accessing confidential data via applications (email, shared networked storage, web browser, etc.) does not mean you are storing confidential information on the information resource(s) itself. However, if you make a copy from one of these applications and save locally (e.g. drag-and-drop, save, copy-paste a file, save email, etc.), you are storing confidential data on the information resource(s).

Answer Choices: Yes; No; Unknown

Why is this important?

You should know what data is saved on the information resources you use. Many units have policies against saving confidential data to a computer’s internal hard drive in order to protect the information from loss or disclosure.

University Control(s): Security Categorization (RA-2)

6. Is the information resource(s) scanned for SSNs by using a software tool (e.g. Identity Finder) and/or is whole disk encryption used to protect data stored on the information resource(s)?

Answer Choices: Scan; Whole Disk Encryption; Both – Scan and Whole Disk Encryption; None of the above

Why is this important?

It is important to know if SSNs are stored on information resources because there are specific protection (e.g. encryption, access control) and reporting requirements when storing SSNs. If an information resource is stolen that contains SSN’s, or if an email attachment containing SSNs is sent to an unauthorized individual, this is considered a data breach. Scanning helps determine whether files on an information resource contain SSNs or not.

University Control(s): Security Categorization (RA-2)

Section 4: User Access

This section focuses on user account access, passwords, authentication systems, etc.

7. Does access to the information resource(s) require a unique user ID and password for anyone trying to log in to the information resource(s)?

Answer Choices: Yes; No

Why is this important?

Unique user IDs and passwords help prevent unauthorized users from accessing information resources. Most unauthorized users try to gain access to information resources for illegal or purposes that may include theft or modification of confidential data.

University employees should never share their user account. If the account is assigned to you or created by you, you are accountable if you share it and it is used for inappropriate reasons. Any activity generated by the user account such as accessing files, changing passwords or deleting information, can be traced back to you.

University Control(s): Account Management (AC-2)

8. Do any non-university personnel (e.g. students who are not student workers, vendors, etc.) have an account or access to an account (e.g. borrowing account credentials, temporary account credentials) on the information resource(s)?

Answer Choices: Yes; No; Unknown

Why is this important?

All university personnel are required to take the Information Security Awareness training module annually. This course covers safe computing practices; related policies and laws; recognizing and responding to security concerns. At the end of the course, all users must acknowledge they have read, understand, and will comply with university requirements regarding computer security policies and procedures.

University Control(s): Security Awareness and Training (AT-2)

9. Are the password requirements: at least eight characters in length and containing three of the following four groups of characters - lowercase letters, uppercase letters, symbols or numbers?

If your password is at least 16 characters long, you are not required to meet the complexity requirements above.

Answer Choices: Yes; No; N/A - 16 characters or more; Passwords are not used

Why is this important?

The length and complexity of a password makes it harder for someone to crack. Having other security controls in place, such as account lock-out after a number of unsuccessful login attempts, makes it even harder for someone to crack.

University SAP(s): 29.01.03.M1.14 Information Resources – Password-based Authentication

10. How often are passwords required to be changed on the information resource(s) that you manage?

Answer Choices: Less than 1 year; 1 year; Between 1 and 4 years; 4 years; More than 4 years; Passwords are not required to be changed; Passwords are not used

Why is this important?

Changing passwords periodically helps prevent someone who has managed to steal your password from using it to gain access to your account. If you have any reason to think your account has been compromised or someone has your password, change it immediately.

University SAP(s): 29.01.03.M1.14 Information Resources – Password-based Authentication

11. Are accounts locked out of the information resource(s) after a defined number of unsuccessful login attempts in a defined time limit?

Answer Choices: Yes; No; Unknown

Why is this important?

Many hackers will get someone’s user ID and then try to gain access to a resource by repeatedly guessing the user’s password. This is known as a brute force attack. Locking an account after a set number of unsuccessful attempts helps slow down, and possibly prevent, a hacker from gaining access to the resource.

University SAP(s): 29.01.03.M1.14 Information Resources – Password-based Authentication

12. Is multi-factor authentication used for accessing the information resource(s)?

Does the information resource require you to validate via Duo Two-Factor Authentication or a similar product?

Answer Choices: Yes, No

Why is this important?

Multi-factor authentication helps prevent unauthorized users from gaining access to information resources using stolen or compromised login credentials (i.e. user ID, password).

All units are required to use multi-factor authentication when accessing information resources that have access to confidential data. Some units in the university require multi-factor authentication (e.g. Duo) for certain roles, regardless of the type of data the person has access to.

University Control(s): Identification and Authentication (Organizational Users) (IA-2)

TAMUS Policy and Regulation: