{"id":1620,"date":"2024-08-05T16:32:52","date_gmt":"2024-08-05T16:32:52","guid":{"rendered":"https:\/\/www.tarleton.edu\/security-controls-catalog\/?page_id=1620"},"modified":"2024-09-06T13:14:42","modified_gmt":"2024-09-06T13:14:42","slug":"pl-2-system-security-and-privacy-plans","status":"publish","type":"page","link":"https:\/\/www.tarleton.edu\/security-controls-catalog\/planning-pl\/pl-2-system-security-and-privacy-plans\/","title":{"rendered":"PL-2: System Security and Privacy Plans"},"content":{"rendered":"\n<h1 class=\"wp-block-heading has-large-font-size\">PL-2: System Security and Privacy Plans<\/h1>\n\n\n\n<div style=\"height:20px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" style=\"font-size:16px\"><strong>NIST Baseline: &nbsp;<\/strong>Low&nbsp;<\/h2>\n\n\n\n<h2 class=\"wp-block-heading\" style=\"font-size:16px\"><strong>Privacy Baseline:<\/strong> &nbsp;Yes&nbsp;<\/h2>\n\n\n\n<h2 class=\"wp-block-heading\" style=\"font-size:16px\"><strong>DIR Required By:<\/strong> &nbsp;07\/20\/2023&nbsp;<\/h2>\n\n\n\n<h2 class=\"wp-block-heading\" style=\"font-size:16px\"><strong>Review Date: &nbsp;<\/strong>07\/31\/2024&nbsp;<\/h2>\n\n\n\n<ul class=\"wp-block-list its-nested-list\">\n<li>The Tarleton State University (Tarleton) Chief Information Security Officer (CISO), in coordination with information resource owners and custodians, must develop a System Security and Privacy Plan covering High Impact Information Resources that:&nbsp;&nbsp;\n<ul class=\"wp-block-list\">\n<li>Defines the system components that are authorized for operation by the information resource owner (see <a href=\"https:\/\/www.tarleton.edu\/security-controls-catalog\/configuration-management-cm\/cm-8-system-component-inventory\/\" data-type=\"page\" data-id=\"1133\">Control CM-8, System Component Inventory<\/a>);\u00a0\u00a0<\/li>\n\n\n\n<li>Describes the business process(es) supported by the information resource;&nbsp;&nbsp;<\/li>\n\n\n\n<li>Identifies the individuals that fulfill system roles and responsibilities;&nbsp;&nbsp;<\/li>\n\n\n\n<li>Identifies the information types processed, stored, and transmitted by the system (see <a href=\"https:\/\/assets.system.tamus.edu\/files\/policy\/pdf\/so-Security-Standards\/DataClassProtect.pdf\" target=\"_blank\" rel=\"noreferrer noopener\">Texas A&amp;M University System (TAMUS) Data Classification Standard<\/a>);&nbsp;&nbsp;<\/li>\n\n\n\n<li>Provides the security categorization of the system, including supporting rationale (see <a href=\"https:\/\/www.tarleton.edu\/security-controls-catalog\/risk-assessment-ra\/ra-2-security-categorization\/\" data-type=\"page\" data-id=\"1757\">Control RA-2, Security Categorization<\/a>);\u00a0\u00a0<\/li>\n\n\n\n<li>Describes any specific threats to the system that are of concern to the organization;&nbsp;&nbsp;<\/li>\n\n\n\n<li>Provides the results of a privacy risk assessment for systems processing personally identifiable information (PII);&nbsp;&nbsp;<\/li>\n\n\n\n<li>Describes any dependencies on or connections to other systems or system components;&nbsp;&nbsp;<\/li>\n\n\n\n<li>Provides an overview of the security and privacy requirements for the system;&nbsp;&nbsp;<\/li>\n\n\n\n<li>Identifies any relevant control baselines or overlays, if applicable; and&nbsp;&nbsp;<\/li>\n\n\n\n<li>Describes the unique controls in place or planned that exceed the common security controls applied to all Tarleton information resources, including a rationale for any exceptions or tailoring decisions.&nbsp;&nbsp;<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Information resource owners or their designees are responsible for:&nbsp;&nbsp;\n<ul class=\"wp-block-list\">\n<li>Periodically reviewing and being familiar with the security plan;&nbsp;<\/li>\n\n\n\n<li>Providing any suggested\/necessary updates needed to the security plan as changes occur to the information resource under their authority to the Tarleton CISO for final review and consideration so updates can be made to the security plan, as needed; and&nbsp;&nbsp;<\/li>\n\n\n\n<li>Distributing the plans and communicating any changes as appropriate to other authorized individuals impacted by such changes for the information resource under their authority.&nbsp;<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>The Tarleton CISO shall:&nbsp;\n<ul class=\"wp-block-list\">\n<li>Distribute copies of the security plan and communicate changes to the plan as appropriate to authorized individuals;&nbsp;<\/li>\n\n\n\n<li>Review the security plan for the information systems biennially (every two years) and submit report to DIR;&nbsp;<\/li>\n\n\n\n<li>Update the plan to address changes to the information system, environment of operation, or issues identified during plan implementation or security control assessments; and&nbsp;<\/li>\n\n\n\n<li>Protect the security plan from unauthorized disclosure and modification.&nbsp;<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator alignfull has-text-color has-tarleton-purple-color has-alpha-channel-opacity has-tarleton-purple-background-color has-background is-style-wide\"\/>\n\n\n\n<h3 class=\"wp-block-heading has-medium-font-size\"><strong>References\/Additional Resources<\/strong><\/h3>\n\n\n\n<p><a href=\"https:\/\/texreg.sos.state.tx.us\/public\/readtac$ext.TacPage?sl=R&amp;app=9&amp;p_dir=&amp;p_rloc=&amp;p_tloc=&amp;p_ploc=&amp;pg=1&amp;p_tac=&amp;ti=1&amp;pt=10&amp;ch=202&amp;rl=21#:~:text=(1)%20developing%20and%20maintaining%20an%20agency%2Dwide%20information%20security%20plan%20as%20required%20by%20Texas%20Government%20Code%20%C2%A7%202054.133%3B\" target=\"_blank\" rel=\"noreferrer noopener\">1 TAC \u00a7 202.21(b)(1)<\/a>&nbsp;&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/texreg.sos.state.tx.us\/public\/readtac$ext.TacPage?sl=R&amp;app=9&amp;p_dir=&amp;p_rloc=&amp;p_tloc=&amp;p_ploc=&amp;pg=1&amp;p_tac=&amp;ti=1&amp;pt=10&amp;ch=202&amp;rl=71#:~:text=%C2%A0%C2%A0(1)%20developing%20and%20maintaining%20an%20institution%2Dwide%20information%20security%20plan%20as%20required%20by%20Texas%20Government%20Code%20%C2%A7%202054.133%3B\" target=\"_blank\" rel=\"noreferrer noopener\">1 TAC \u00a7 202.71(b)(1)<\/a>&nbsp;&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/statutes.capitol.texas.gov\/Docs\/GV\/htm\/GV.2054.htm#:~:text=Sec.%202054.133.%20%20INFORMATION%20SECURITY%20PLAN.\" target=\"_blank\" rel=\"noreferrer noopener\">Section 2054.133, Government Code<\/a>&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/assets.system.tamus.edu\/files\/policy\/pdf\/so-Security-Standards\/DataClassProtect.pdf\" target=\"_blank\" rel=\"noreferrer noopener\">TAMUS Data Classification Standard<\/a>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>PL-2: System Security and Privacy Plans NIST Baseline: &nbsp;Low&nbsp; Privacy Baseline: &nbsp;Yes&nbsp; DIR Required By: &nbsp;07\/20\/2023&nbsp; Review Date: &nbsp;07\/31\/2024&nbsp; References\/Additional Resources 1 TAC \u00a7 202.21(b)(1)&nbsp;&nbsp; 1 TAC \u00a7 202.71(b)(1)&nbsp;&nbsp; Section &#8230;<\/p>\n","protected":false},"author":1,"featured_media":580,"parent":1524,"menu_order":2,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_acf_changed":false,"inline_featured_image":false,"advgb_blocks_editor_width":"","advgb_blocks_columns_visual_guide":"","footnotes":""},"class_list":["post-1620","page","type-page","status-publish","has-post-thumbnail","hentry"],"acf":[],"coauthors":[],"author_meta":{"author_link":"https:\/\/www.tarleton.edu\/security-controls-catalog\/author\/brian-2-2-2-2-2-2-2-2-2-2-2-2-2-2-2-2-2-2-2-3\/","display_name":"brian"},"relative_dates":{"created":"Posted 2 years ago","modified":"Updated 2 years ago"},"absolute_dates":{"created":"Posted on August 5, 2024","modified":"Updated on September 6, 2024"},"absolute_dates_time":{"created":"Posted on August 5, 2024 4:32 pm","modified":"Updated on September 6, 2024 1:14 pm"},"featured_img_caption":"","featured_img":false,"series_order":"","_links":{"self":[{"href":"https:\/\/www.tarleton.edu\/security-controls-catalog\/wp-json\/wp\/v2\/pages\/1620","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.tarleton.edu\/security-controls-catalog\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/www.tarleton.edu\/security-controls-catalog\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/www.tarleton.edu\/security-controls-catalog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.tarleton.edu\/security-controls-catalog\/wp-json\/wp\/v2\/comments?post=1620"}],"version-history":[{"count":0,"href":"https:\/\/www.tarleton.edu\/security-controls-catalog\/wp-json\/wp\/v2\/pages\/1620\/revisions"}],"up":[{"embeddable":true,"href":"https:\/\/www.tarleton.edu\/security-controls-catalog\/wp-json\/wp\/v2\/pages\/1524"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.tarleton.edu\/security-controls-catalog\/wp-json\/"}],"wp:attachment":[{"href":"https:\/\/www.tarleton.edu\/security-controls-catalog\/wp-json\/wp\/v2\/media?parent=1620"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}