Tarleton Security Control Standards Catalog
Overview
The Information Security Control Catalog establishes the minimum standards and controls for university information security in accordance with the state's Information Security Standards for Institutions of Higher Education found in Title 1, Chapter 202, Texas Administrative Code (TAC 202).
The purpose of this Control Catalog is to provide Tarleton State University information owners and users with specific guidance for implementing security controls conforming to security control standards currently required in the Texas Department of Information Resources (DIR) Security Control Standards Catalog, Version 1.3.
Each control group is organized under its two-letter group identification code and title, and adopts the numbering format of the DIR Security Control Standards Catalog.
Security Control Standards
Access Control
- AC-1 Access Control Policy and Procedures
- AC-2 Account Management
- AC-3 Access Enforcement
- AC-5 Separation of Duties
- AC-6 Least Privilege
- AC-7 Unsuccessful Logon Attempts
- AC-8 System Use Notification
- AC-14 Permitted Actions without Identification or Authentication
- AC-17 Remote Access
- AC-18 Wireless Access
- AC-19 Access Control for Mobile Devices
- AC-20 Use of External Information Systems
- AC-22 Publicly Accessible Content
Awareness and Training Controls
- AT-1 Awareness Training Controls
- AT-2 Security Awareness and Training
- AT-3 Role Based Security Training
- AT-4 Security Training Records
Audit and Accountability Controls
- AU-1 Audit and Accountability Controls
- AU-2 Audit Events
- AU-3 Content of Audit Records
- AU-4 Audit Storage Capacity
- AU-5 Response to Audit Processing Failure
- AU-6 Audit Review Analysis and Reporting
- AU-8 Time Stamps
- AU-9 Protection of Audit Information
- AU-11 Audit Record Retention
- AU-12 Audit Generation
Security Assessment and Authorization Controls
- CA-1 Security Assessment Authorization Controls
- CA-2 Security Assessment
- CA-3 System Interconnections
- CA-5 Plan of Action and Milestones
- CA-6 Security Authorization
- CA-7 Continuous Monitoring
- CA-9 Internal System Connections
Configuration Management Controls
- CM-1 Configuration Management Controls
- CM-2 Baseline Configuration
- CM-4 Security Impact Analysis
- CM-7 Least Functionality
- CM-8 Information System Component Inventory
- CM-10 Software Usage Restrictions
- CM-11 User Installed Software
Contingency Planning Controls
- CP-1 Contingency Planning Controls
- CP-2 Contingency Plan
- CP-3 Contingency Training
- CP-4 Contingency Plan Testing
- CP-6 Alternate Storage Site
- CP-9 Information System Backup
- CP-10 Information System Recovery and Reconstitution
Identification and Authentication Controls
- IA-1 Identification and Authentication Controls
- IA-2 Identification and Authentication
- IA-4 Identifier Management
- IA-5 Authenticator Management
- IA-6 Authenticator Feedback
- IA-7 Cryptographic Module Authentication
- IA-8 Identification and Authentication (Non-Organizational Users)
Incident Response Controls
- IR-1 Incident Response Policy
- IR-2 Incident Response
- IR-4 Incident Handling
- IR-5 Incident Monitoring
- IR-6 incident Reporting
- IR-7 Incident Response Assistance
- IR-8 Incident Response Plan
Maintenance Controls
- MA-1 System Maintenance Controls
- MA-2 Controlled Maintenance
- MA-4 Non-local Maintenance
- MA-5 Maintenance Personnel
Media Protection Controls
Physical and Environmental Protection Controls
- PE-1 Physical and Environmental Protection Controls
- PE-2 Physical Access Authorization
- PE-3 Physical Access Control
- PE-6 Monitoring Physical Access
- PE-8 Visitor Access Records
- PE-12 Emergency Lighting
- PE-13 Fire Protection
- PE-14 Temperature and Humidity Controls
- PE-15 Water Damage Protection
- PE-16 Delivery and Removal
Planning Controls
Program Management Controls
- PM-1 Program Management Controls
- PM-2 Senior Information Security Officer
- PM-3 Information Security Resources
- PM-4 Plan of Action and Milestones Process
- PM-5 Information System Inventory
- PM-6 Information Security Measures of Performance
- PM-7 Enterprise Architecture
- PM-16 Threat Awareness Program
Personnel Security Controls
- PS-1 Personnel Security Controls
- PS-2 Position Risk Designation
- PS-3 Personnel Screening
- PS-4 Personnel Termination
- PS-5 Personnel Transfer
- PS-6 Access Agreement
- PS-7 Third-Party Personnel Security
- PS-8 Personnel Security
Risk Assessment Controls
- RA-1 Risk Assessment Controls
- RA-2 Security Categorization
- RA-3 Risk Assessment
- RA-5 Vulnerability Scanning
System and Services Acquisition Controls
- SA-1 System and Services Acquisition Controls
- SA-2 Allocation of Resources
- SA-3 System Development Life Cycle
- SA-4 Acquisition Process
- SA-5 Information System Documentation
- SA-9 External Information System Services
- SA-10 Developer Configuration Management
System and Communication Protection Controls
- SC-1 System and Communications Protection Controls
- SC-5 Denial of Service Protection
- SC-7 Boundary Protection
- SC-12 Cyptographic Key Establishment and Management
- SC-13 Cryptographic Protection
- SC-15 Collaborative Computing Devices
- SC-20 Secure Name Address Resolution Service (Authoritative Source)
- SC-21 Secure Name Address Resolution Service (Recursive or Caching Resolver)
- SC-22 Architecture and Provisioning for Name Address Resolution Service
- SC-39 Process Isolation
System and Information Integrity Controls
- SI-1 System and Information Integrity Controls
- SI-2 Flaw Remediation
- SI-3 Malicious Code Protection
- SI-4 Information System Monitoring
- SI-5 Security Alerts, Advisories and Directives
- SI-12 Information Handling and Retention
Exceptions
The information resource owner or designee (e.g., custodian, user) is responsible for ensuring that the protection measures in the Security Control Catalog are implemented. Based on risk management considerations and business functions, the resource owner may request to exclude certain protection measures mandated by a control in favor of an alternate mitigation.
To submit an exception request for any I.T. policy, please complete the online I.T. Policy Exception Request Form.