Security Controls Catalog
The Texas A&M Transportation Institute Security Control Standards Catalog (“Controls Catalog”) establishes the minimum standards and controls for agency information security in accordance with the state’s Information Security Standards for Institutions of Higher Education found in Title 1, Chapter 202, Texas Administrative Code (TAC 202). For more information, visit the Policy and Standards page.
Procedure ID | Procedure Name | NIST Priority |
---|---|---|
Access Control | ||
AC-01-727 | Access Control Policy and Procedures | P1 |
AC-02-727 | Account Management | P1 |
AC-03-727 | Access Enforcement | P1 |
AC-04-727 | Information Flow Enforcement | P1 |
AC-05-727 | Separation of Duties | P1 |
AC-06-727 | Least Privilege | P1 |
AC-07-727 | Unsuccessful Logon Attempts | P2 |
AC-08-727 | System Use Notification | P1 |
AC-09-727 | Previous Logon (Access) Notification | P0 |
AC-10-727 | Concurrent Session Control | P3 |
AC-11-727 | Session Lock | P3 |
AC-12-727 | Session Termination | P2 |
AC-14-727 | Permitted Actions without Identification or Authentication | P3 |
AC-16-727 | Security Attributes | P0 |
AC-17-727 | Remote Access | P1 |
AC-18-727 | Wireless Access | P1 |
AC-19-727 | Access Control for Mobile Devices | P1 |
AC-20-727 | Use of External Information Systems | P1 |
AC-21-727 | Information Sharing | P2 |
AC-22-727 | Publicly Accessible Content | P3 |
AC-23-727 | Data Mining Protection | P0 |
AC-24-727 | Access Control Decisions | P0 |
AC-25-727 | Reference Monitor | P0 |
Authority and Purpose | ||
AP-01-727 | Authority to Collect | NA |
AP-02-727 | Purpose Specification | NA |
Accountability, Audit and Risk Management | ||
AR-01-727 | Governance and Privacy Program | NA |
AR-02-727 | Privacy Impact and Risk Assessment | NA |
AR-03-727 | Privacy Requirements for Contractors and Service Providers | NA |
AR-04-727 | Privacy Monitoring and Auditing | NA |
AR-05-727 | Privacy Awareness and Training | NA |
AR-06-727 | Privacy Reporting | NA |
AR-07-727 | Privacy-Enhanced System Design and Development | NA |
AR-08-727 | Accounting of Disclosures | NA |
Awareness and Training | ||
AT-01-727 | Security Awareness and Training Policy and Procedures | P1 |
AT-02-727 | Security Awareness Training | P1 |
AT-03-727 | Role-Based Security Training | P1 |
AT-04-727 | Security Training Records | P3 |
Audit and Accountability | ||
AU-01-727 | Audit and Accountability Policy and Procedures | P1 |
AU-02-727 | Audit Events | P1 |
AU-03-727 | Content of Audit Records | P1 |
AU-04-727 | Audit Storage Capacity | P1 |
AU-05-727 | Response to Audit Processing Failures | P1 |
AU-06-727 | Audit Review, Analysis, and Reporting | P1 |
AU-07-727 | Audit Reduction and Report Generation | P2 |
AU-08-727 | Time Stamps | P1 |
AU-09-727 | Protection of Audit Information | P1 |
AU-10-727 | Non-Repudiation | P2 |
AU-11-727 | Audit Record Retention | P3 |
AU-12-727 | Audit Generation | P1 |
AU-13-727 | Monitoring and Information Disclosure | P0 |
AU-14-727 | Session Audit | P0 |
AU-15-727 | Alternate Audit Capability | P0 |
AU-16-727 | Cross-organizational Auditing | P0 |
Security Assessment and Authorization | ||
CA-01-727 | Security Assessment and Authorization Policy and Procedures | P1 |
CA-02-727 | Security Assessments | P2 |
CA-03-727 | System Interconnections | P1 |
CA-05-727 | Plan of Action and Milestones | P3 |
CA-06-727 | Security Authorization | P2 |
CA-07-727 | Continuous Monitoring | P2 |
CA-08-727 | Penetration Testing | P2 |
CA-09-727 | Internal System Connections | P2 |
Configuration Management | ||
CM-01-727 | Configuration Management Policy and Procedures | P1 |
CM-02-727 | Baseline Configuration | P1 |
CM-03-727 | Configuration Change Control | P1 |
CM-04-727 | Security Impact Analysis | P2 |
CM-05-727 | Access Restrictions for Change | P1 |
CM-06-727 | Configuration Settings | P1 |
CM-07-727 | Least Functionality | P1 |
CM-08-727 | Information System Component Inventory | P1 |
CM-09-727 | Configuration Management Plan | P1 |
CM-10-727 | Software Usage Restrictions | P2 |
CM-11-727 | User-Installed Software | P1 |
Contingency Planning | ||
CP-01-727 | Contingency Planning Policy and Procedures | P1 |
CP-02-727 | Contingency Plan | P1 |
CP-03-727 | Contingency Training | P2 |
CP-04-727 | Contingency Plan Testing | P2 |
CP-06-727 | Alternate Storage Site | P1 |
CP-07-727 | Alternate Processing Site | P1 |
CP-08-727 | Telecommunications Services | P1 |
CP-09-727 | Information System Backup | P1 |
CP-10-727 | Information System Recovery and Reconstitution | P1 |
CP-11-727 | Alternate Communications Protocols | P0 |
CP-12-727 | Safe Mode | P0 |
CP-13-727 | Alternative Security Mechanisms | P0 |
Data Quality and Integrity | ||
DI-01-727 | Data Quality | NA |
DI-02-727 | Data Integrity and Data Integrity Board | NA |
Data Minimization and Retention | ||
DM-01-727 | Minimization of Personally Identifiable Information | NA |
DM-02-727 | Data Retention and Disposal | NA |
DM-03-727 | Minimization of PII Used In Testing, Training, And Research | NA |
Identification and Authentication | ||
IA-01-727 | Identification and Authentication Policy and Procedures | P1 |
IA-02-727 | Identification and Authentication (Organizational Users) | P1 |
IA-03-727 | Device Identification and Authentication | P1 |
IA-04-727 | Identifier Management | P1 |
IA-05-727 | Authenticator Management | P1 |
IA-06-727 | Authenticator Feedback | P2 |
IA-07-727 | Cryptographic Module Authentication | P1 |
IA-08-727 | Identification and Authentication (Non-Organizational Users) | P1 |
IA-09-727 | Service Identification and Authentication | P0 |
IA-10-727 | Adaptive Identification and Authentication | P0 |
IA-11-727 | Re-authentication | P0 |
Individual Participation and Redress | ||
IP-01-727 | Consent | NA |
IP-02-727 | Individual Access | NA |
IP-03-727 | Redress | NA |
IP-04-727 | Complaint Management | NA |
Incident Response | ||
IR-01-727 | Incident Response Policy and Procedures | P1 |
IR-02-727 | Incident Response Training | P2 |
IR-03-727 | Incident Response Testing | P2 |
IR-04-727 | Incident Handling | P1 |
IR-05-727 | Incident Monitoring | P1 |
IR-06-727 | Incident Reporting | P1 |
IR-07-727 | Incident Response Assistance | P2 |
IR-08-727 | Incident Response Plan | P1 |
IR-09-727 | Information Spillage Response | P0 |
IR-10-727 | Integrated Information Security Analysis Team | P0 |
Maintenance | ||
MA-01-727 | System Maintenance Policy and Procedures | P1 |
MA-02-727 | Controlled Maintenance | P2 |
MA-03-727 | Maintenance Tools | P3 |
MA-04-727 | Nonlocal Maintenance | P2 |
MA-05-727 | Maintenance Personnel | P2 |
MA-06-727 | Timely Maintenance | P2 |
Media Protection | ||
MP-01-727 | Media Protection Policy and Procedures | P1 |
MP-02-727 | Media Access | P1 |
MP-03-727 | Media Marking | P2 |
MP-04-727 | Media Storage | P1 |
MP-05-727 | Media Transport | P1 |
MP-06-727 | Media Sanitization | P1 |
MP-07-727 | Media Use | P1 |
Physical and Environmental Protection | ||
PE-01-727 | Physical and Environmental Protection Policies and Procedures | P1 |
PE-02-727 | Physical Access Authorizations | P1 |
PE-03-727 | Physical Access Control | P1 |
PE-04-727 | Access Control for Transmission Medium | P1 |
PE-05-727 | Access Control for Output Devices | P2 |
PE-06-727 | Monitoring Physical Access | P1 |
PE-08-727 | Visitor Access Records | P3 |
PE-09-727 | Power Equipment and Cabling | P1 |
PE-10-727 | Emergency Shutoff | P1 |
PE-11-727 | Emergency Power | P1 |
PE-12-727 | Emergency Lighting | P1 |
PE-13-727 | Fire Protection | P1 |
PE-14-727 | Temperature and Humidity Controls | P1 |
PE-15-727 | Water Damage Protection | P1 |
PE-16-727 | Delivery and Removal | P2 |
PE-17-727 | Alternate Work Site | P2 |
PE-18-727 | Location of Information System Components | P3 |
PE-19-727 | Information Leakage | P0 |
PE-20-727 | Asset Monitoring and Tracking | P0 |
Planning | ||
PL-01-727 | Security Planning Policy and Procedures | P1 |
PL-02-727 | System Security Plan | P1 |
PL-04-727 | Rules of Behavior | P2 |
PL-07-727 | Security Concept of Operations | P0 |
PL-08-727 | Information Security Architecture | P1 |
PL-09-727 | Central Management | P0 |
Program Management | ||
PM-01-727 | Information Security Program Plan | P1 |
PM-02-727 | Senior Information Security Officer | P1 |
PM-03-727 | Information Security Resources | P1 |
PM-04-727 | Plan of Action and Milestones Process | P1 |
PM-05-727 | Information System Inventory | P1 |
PM-06-727 | Information Security Measures of Performance | P1 |
PM-07-727 | Enterprise Architecture | P1 |
PM-08-727 | Critical Infrastructure Plan | P1 |
PM-09-727 | Risk Management Strategy | P1 |
PM-10-727 | Security Authorization Process | P1 |
PM-11-727 | Mission/Business Process Definition | P1 |
PM-12-727 | Insider Threat Program | P1 |
PM-13-727 | Information Security Workforce | P1 |
PM-14-727 | Testing, Training, and Monitoring | P1 |
PM-15-727 | Contacts with Security Groups and Associations | P3 |
PM-16-727 | Threat Awareness Program | P1 |
Personnel Security | ||
PS-01-727 | Personnel Security Policy and Procedures | P1 |
PS-02-727 | Position Risk Designation | P1 |
PS-03-727 | Personnel Screening | P1 |
PS-04-727 | Personnel Termination | P1 |
PS-05-727 | Personnel Transfer | P2 |
PS-06-727 | Access Agreements | P3 |
PS-07-727 | Third-Party Personnel Security | P1 |
PS-08-727 | Personnel Sanctions | P3 |
Risk Assessment | ||
RA-01-727 | Risk Assessment Policy and Procedures | P1 |
RA-02-727 | Security Categorization | P1 |
RA-03-727 | Risk Assessment | P1 |
RA-05-727 | Vulnerability Scanning | P1 |
RA-06-727 | Technical Surveillance Countermeasures Survey | P0 |
Security Assessment and Authorization | ||
SA-01-727 | System and Services Acquisition Policy and Procedures | P1 |
SA-02-727 | Allocation of Resources | P1 |
SA-03-727 | System Development Life Cycle | P1 |
SA-04-727 | Acquisition Process | P1 |
SA-05-727 | Information System Documentation | P2 |
SA-08-727 | Security Engineering Principles | P1 |
SA-09-727 | External Information System Services | P1 |
SA-10-727 | Developer Configuration Management | P1 |
SA-11-727 | Developer Security Testing and Evaluation | P1 |
SA-12-727 | Developer Security Testing and Evaluation | P1 |
SA-13-727 | Trustworthiness | P0 |
SA-14-727 | Criticality Analysis | P0 |
SA-15-727 | Development Process, Standards, and Tools | P2 |
SA-16-727 | Developer-provided Training | P2 |
SA-17-727 | Developer Security Architecture and Design | P1 |
SA-18-727 | Tamper Resistance and Detection | P0 |
SA-19-727 | Component Authenticity | P0 |
SA-20-727 | Customized Development of Critical Components | P0 |
SA-21-727 | Developer Screening | P0 |
SA-22-727 | Unsupported System Components | P0 |
System and Communications Protection | ||
SC-01-727 | System and Communications Protection Policy and Procedures | P1 |
SC-02-727 | Application Partitioning | P1 |
SC-03-727 | Security Function Isolation | P1 |
SC-04-727 | Information in Shared Resources | P1 |
SC-05-727 | Denial of Service Protection | P1 |
SC-06-727 | Resource Availability | P0 |
SC-07-727 | Boundary Protection | P1 |
SC-08-727 | Transmission Confidentiality and Integrity | P1 |
SC-10-727 | Network Disconnect | P2 |
SC-11-727 | Network Disconnect | P0 |
SC-12-727 | Cryptographic Key Establishment and Management | P1 |
SC-13-727 | Cryptographic Protection | P1 |
SC-15-727 | Collaborative Computing Devices | P1 |
SC-16-727 | Transmission of Security Attributes | P0 |
SC-17-727 | Public Key Infrastructure Certificates | P1 |
SC-18-727 | Mobile Code | P2 |
SC-19-727 | Voice over Internet Protocol | P1 |
SC-20-727 | Secure Name/Address Resolution Service (Authoritative Source) | P1 |
SC-21-727 | Secure Name/Address Resolution Service (Recursive or Caching Resolver) | P1 |
SC-22-727 | Architecture and Provisioning for Name/Address Resolution Service | P1 |
SC-23-727 | Session Authenticity | P1 |
SC-24-727 | Fail in Known State | P1 |
SC-25-727 | Thin Nodes | P0 |
SC-26-727 | Honeypots | P0 |
SC-27-727 | Platform-independent Applications | P0 |
SC-28-727 | Protection of Information at Rest | P1 |
SC-29-727 | Platform-independent Applications Heterogeneity | P0 |
SC-30-727 | Concealment and Misdirection | P0 |
SC-31-727 | Covert Channel Analysis | P0 |
SC-32-727 | Information System Partitioning | P0 |
SC-34-727 | Non-modifiable Executable Programs | P0 |
SC-35-727 | Honeyclients | P0 |
SC-36-727 | Distributed Processing and Storage | P0 |
SC-37-727 | Out-of-band Channels | P0 |
SC-38-727 | Operations Security | P0 |
SC-39-727 | Process Isolation | P1 |
SC-40-727 | Wireless Link Protection | P0 |
SC-41-727 | Port and I/O Device Access | P0 |
SC-42-727 | Sensor Capability and Data | P0 |
SC-43-727 | Usage Restrictions | P0 |
SC-44-727 | Detonation Chambers | P0 |
Security | ||
SE-01-727 | Inventory of Personally Identifiable Information | NA |
SE-02-727 | Privacy Incident Response | NA |
System and Information Integrity | ||
SI-01-727 | System and Information Integrity Policy and Procedures | P1 |
SI-02-727 | Flaw Remediation | P1 |
SI-03-727 | Malicious Code Protection | P1 |
SI-04-727 | Information System Monitoring | P1 |
SI-05-727 | Security Alerts, Advisories, and Directives | P1 |
SI-06-727 | Security Function Verification | P1 |
SI-07-727 | Software, Firmware, and Information Integrity | P1 |
SI-08-727 | Spam Protection | P2 |
SI-10-727 | Information Input Validation | P1 |
SI-11-727 | Error Handling | P2 |
SI-12-727 | Information Output Handling and Retention | P2 |
SI-13-727 | Predictable Failure Prevention | P0 |
SI-14-727 | Non-persistence | P0 |
SI-15-727 | Information Output Filtering | P0 |
SI-16-727 | Memory Protection | P1 |
SI-17-727 | Fail-safe Procedures | P0 |
Transparency | ||
TR-01-727 | Privacy Notice | NA |
TR-02-727 | System of Records Notices and Privacy Act Statements | NA |
TR-03-727 | Dissemination of Privacy Program Information | NA |
Use Limitation | ||
UL-01-727 | Internal Use | NA |
UL-02-727 | Information Sharing With Third Parties | NA |
Search Control Catalog
Control Audiences
Control Families
- Access Control
- Authority and Purpose
- Accountability, Audit and Risk Management
- Awareness and Training
- Audit and Accountability
- Security Assessment and Authorization
- Configuration Management
- Contingency Planning
- Data Quality and Integrity
- Data Minimization and Retention
- Identification and Authentication
- Individual Participation and Redress
- Incident Response
- Maintenance
- Media Protection
- Physical and Environmental Protection
- Planning
- Program Management
- Personnel Security
- Risk Assessment
- System and Services Acquisition
- System and Communications Protection
- Security
- System and Information Integrity
- Transparency
- Use Limitation