Security Controls Catalog

The Texas A&M Transportation Institute Security Control Standards Catalog (“Controls Catalog”) establishes the minimum standards and controls for agency information security in accordance with the state’s Information Security Standards for Institutions of Higher Education found in Title 1, Chapter 202, Texas Administrative Code (TAC 202). For more information, visit the Policy and Standards page.

Procedure ID Procedure Name NIST Priority
Access Control
AC-01-727 Access Control Policy and Procedures P1
AC-02-727 Account Management P1
AC-03-727 Access Enforcement P1
AC-04-727 Information Flow Enforcement P1
AC-05-727 Separation of Duties P1
AC-06-727 Least Privilege P1
AC-07-727 Unsuccessful Logon Attempts P2
AC-08-727 System Use Notification P1
AC-09-727 Previous Logon (Access) Notification P0
AC-10-727 Concurrent Session Control P3
AC-11-727 Session Lock P3
AC-12-727 Session Termination P2
AC-14-727 Permitted Actions without Identification or Authentication P3
AC-16-727 Security Attributes P0
AC-17-727 Remote Access P1
AC-18-727 Wireless Access P1
AC-19-727 Access Control for Mobile Devices P1
AC-20-727 Use of External Information Systems P1
AC-21-727 Information Sharing P2
AC-22-727 Publicly Accessible Content P3
AC-23-727 Data Mining Protection P0
AC-24-727 Access Control Decisions P0
AC-25-727 Reference Monitor P0
Authority and Purpose
AP-01-727 Authority to Collect NA
AP-02-727 Purpose Specification NA
Accountability, Audit and Risk Management
AR-01-727 Governance and Privacy Program NA
AR-02-727 Privacy Impact and Risk Assessment NA
AR-03-727 Privacy Requirements for Contractors and Service Providers NA
AR-04-727 Privacy Monitoring and Auditing NA
AR-05-727 Privacy Awareness and Training NA
AR-06-727 Privacy Reporting NA
AR-07-727 Privacy-Enhanced System Design and Development NA
AR-08-727 Accounting of Disclosures NA
Awareness and Training
AT-01-727 Security Awareness and Training Policy and Procedures P1
AT-02-727 Security Awareness Training P1
AT-03-727 Role-Based Security Training P1
AT-04-727 Security Training Records P3
Audit and Accountability
AU-01-727 Audit and Accountability Policy and Procedures P1
AU-02-727 Audit Events P1
AU-03-727 Content of Audit Records P1
AU-04-727 Audit Storage Capacity P1
AU-05-727 Response to Audit Processing Failures P1
AU-06-727 Audit Review, Analysis, and Reporting P1
AU-07-727 Audit Reduction and Report Generation P2
AU-08-727 Time Stamps P1
AU-09-727 Protection of Audit Information P1
AU-10-727 Non-Repudiation P2
AU-11-727 Audit Record Retention P3
AU-12-727 Audit Generation P1
AU-13-727 Monitoring and Information Disclosure P0
AU-14-727 Session Audit P0
AU-15-727 Alternate Audit Capability P0
AU-16-727 Cross-organizational Auditing P0
Security Assessment and Authorization
CA-01-727 Security Assessment and Authorization Policy and Procedures P1
CA-02-727 Security Assessments P2
CA-03-727 System Interconnections P1
CA-05-727 Plan of Action and Milestones P3
CA-06-727 Security Authorization P2
CA-07-727 Continuous Monitoring P2
CA-08-727 Penetration Testing P2
CA-09-727 Internal System Connections P2
Configuration Management
CM-01-727 Configuration Management Policy and Procedures P1
CM-02-727 Baseline Configuration P1
CM-03-727 Configuration Change Control P1
CM-04-727 Security Impact Analysis P2
CM-05-727 Access Restrictions for Change P1
CM-06-727 Configuration Settings P1
CM-07-727 Least Functionality P1
CM-08-727 Information System Component Inventory P1
CM-09-727 Configuration Management Plan P1
CM-10-727 Software Usage Restrictions P2
CM-11-727 User-Installed Software P1
Contingency Planning
CP-01-727 Contingency Planning Policy and Procedures P1
CP-02-727 Contingency Plan P1
CP-03-727 Contingency Training P2
CP-04-727 Contingency Plan Testing P2
CP-06-727 Alternate Storage Site P1
CP-07-727 Alternate Processing Site P1
CP-08-727 Telecommunications Services P1
CP-09-727 Information System Backup P1
CP-10-727 Information System Recovery and Reconstitution P1
CP-11-727 Alternate Communications Protocols P0
CP-12-727 Safe Mode P0
CP-13-727 Alternative Security Mechanisms P0
Data Quality and Integrity
DI-01-727 Data Quality NA
DI-02-727 Data Integrity and Data Integrity Board NA
Data Minimization and Retention
DM-01-727 Minimization of Personally Identifiable Information NA
DM-02-727 Data Retention and Disposal NA
DM-03-727 Minimization of PII Used In Testing, Training, And Research NA
Identification and Authentication
IA-01-727 Identification and Authentication Policy and Procedures P1
IA-02-727 Identification and Authentication (Organizational Users) P1
IA-03-727 Device Identification and Authentication P1
IA-04-727 Identifier Management P1
IA-05-727 Authenticator Management P1
IA-06-727 Authenticator Feedback P2
IA-07-727 Cryptographic Module Authentication P1
IA-08-727 Identification and Authentication (Non-Organizational Users) P1
IA-09-727 Service Identification and Authentication P0
IA-10-727 Adaptive Identification and Authentication P0
IA-11-727 Re-authentication P0
Individual Participation and Redress
IP-01-727 Consent NA
IP-02-727 Individual Access NA
IP-03-727 Redress NA
IP-04-727 Complaint Management NA
Incident Response
IR-01-727 Incident Response Policy and Procedures P1
IR-02-727 Incident Response Training P2
IR-03-727 Incident Response Testing P2
IR-04-727 Incident Handling P1
IR-05-727 Incident Monitoring P1
IR-06-727 Incident Reporting P1
IR-07-727 Incident Response Assistance P2
IR-08-727 Incident Response Plan P1
IR-09-727 Information Spillage Response P0
IR-10-727 Integrated Information Security Analysis Team P0
MA-01-727 System Maintenance Policy and Procedures P1
MA-02-727 Controlled Maintenance P2
MA-03-727 Maintenance Tools P3
MA-04-727 Nonlocal Maintenance P2
MA-05-727 Maintenance Personnel P2
MA-06-727 Timely Maintenance P2
Media Protection
MP-01-727 Media Protection Policy and Procedures P1
MP-02-727 Media Access P1
MP-03-727 Media Marking P2
MP-04-727 Media Storage P1
MP-05-727 Media Transport P1
MP-06-727 Media Sanitization P1
MP-07-727 Media Use P1
Physical and Environmental Protection
PE-01-727 Physical and Environmental Protection Policies and Procedures P1
PE-02-727 Physical Access Authorizations P1
PE-03-727 Physical Access Control P1
PE-04-727 Access Control for Transmission Medium P1
PE-05-727 Access Control for Output Devices P2
PE-06-727 Monitoring Physical Access P1
PE-08-727 Visitor Access Records P3
PE-09-727 Power Equipment and Cabling P1
PE-10-727 Emergency Shutoff P1
PE-11-727 Emergency Power P1
PE-12-727 Emergency Lighting P1
PE-13-727 Fire Protection P1
PE-14-727 Temperature and Humidity Controls P1
PE-15-727 Water Damage Protection P1
PE-16-727 Delivery and Removal P2
PE-17-727 Alternate Work Site P2
PE-18-727 Location of Information System Components P3
PE-19-727 Information Leakage P0
PE-20-727 Asset Monitoring and Tracking P0
PL-01-727 Security Planning Policy and Procedures P1
PL-02-727 System Security Plan P1
PL-04-727 Rules of Behavior P2
PL-07-727 Security Concept of Operations P0
PL-08-727 Information Security Architecture P1
PL-09-727 Central Management P0
Program Management
PM-01-727 Information Security Program Plan P1
PM-02-727 Senior Information Security Officer P1
PM-03-727 Information Security Resources P1
PM-04-727 Plan of Action and Milestones Process P1
PM-05-727 Information System Inventory P1
PM-06-727 Information Security Measures of Performance P1
PM-07-727 Enterprise Architecture P1
PM-08-727 Critical Infrastructure Plan P1
PM-09-727 Risk Management Strategy P1
PM-10-727 Security Authorization Process P1
PM-11-727 Mission/Business Process Definition P1
PM-12-727 Insider Threat Program P1
PM-13-727 Information Security Workforce P1
PM-14-727 Testing, Training, and Monitoring P1
PM-15-727 Contacts with Security Groups and Associations P3
PM-16-727 Threat Awareness Program P1
Personnel Security
PS-01-727 Personnel Security Policy and Procedures P1
PS-02-727 Position Risk Designation P1
PS-03-727 Personnel Screening P1
PS-04-727 Personnel Termination P1
PS-05-727 Personnel Transfer P2
PS-06-727 Access Agreements P3
PS-07-727 Third-Party Personnel Security P1
PS-08-727 Personnel Sanctions P3
Risk Assessment
RA-01-727 Risk Assessment Policy and Procedures P1
RA-02-727 Security Categorization P1
RA-03-727 Risk Assessment P1
RA-05-727 Vulnerability Scanning P1
RA-06-727 Technical Surveillance Countermeasures Survey P0
Security Assessment and Authorization
SA-01-727 System and Services Acquisition Policy and Procedures P1
SA-02-727 Allocation of Resources P1
SA-03-727 System Development Life Cycle P1
SA-04-727 Acquisition Process P1
SA-05-727 Information System Documentation P2
SA-08-727 Security Engineering Principles P1
SA-09-727 External Information System Services P1
SA-10-727 Developer Configuration Management P1
SA-11-727 Developer Security Testing and Evaluation P1
SA-12-727 Developer Security Testing and Evaluation P1
SA-13-727 Trustworthiness P0
SA-14-727 Criticality Analysis P0
SA-15-727 Development Process, Standards, and Tools P2
SA-16-727 Developer-provided Training P2
SA-17-727 Developer Security Architecture and Design P1
SA-18-727 Tamper Resistance and Detection P0
SA-19-727 Component Authenticity P0
SA-20-727 Customized Development of Critical Components P0
SA-21-727 Developer Screening P0
SA-22-727 Unsupported System Components P0
System and Communications Protection
SC-01-727 System and Communications Protection Policy and Procedures P1
SC-02-727 Application Partitioning P1
SC-03-727 Security Function Isolation P1
SC-04-727 Information in Shared Resources P1
SC-05-727 Denial of Service Protection P1
SC-06-727 Resource Availability P0
SC-07-727 Boundary Protection P1
SC-08-727 Transmission Confidentiality and Integrity P1
SC-10-727 Network Disconnect P2
SC-11-727 Network Disconnect P0
SC-12-727 Cryptographic Key Establishment and Management P1
SC-13-727 Cryptographic Protection P1
SC-15-727 Collaborative Computing Devices P1
SC-16-727 Transmission of Security Attributes P0
SC-17-727 Public Key Infrastructure Certificates P1
SC-18-727 Mobile Code P2
SC-19-727 Voice over Internet Protocol P1
SC-20-727 Secure Name/Address Resolution Service (Authoritative Source) P1
SC-21-727 Secure Name/Address Resolution Service (Recursive or Caching Resolver) P1
SC-22-727 Architecture and Provisioning for Name/Address Resolution Service P1
SC-23-727 Session Authenticity P1
SC-24-727 Fail in Known State P1
SC-25-727 Thin Nodes P0
SC-26-727 Honeypots P0
SC-27-727 Platform-independent Applications P0
SC-28-727 Protection of Information at Rest P1
SC-29-727 Platform-independent Applications Heterogeneity P0
SC-30-727 Concealment and Misdirection P0
SC-31-727 Covert Channel Analysis P0
SC-32-727 Information System Partitioning P0
SC-34-727 Non-modifiable Executable Programs P0
SC-35-727 Honeyclients P0
SC-36-727 Distributed Processing and Storage P0
SC-37-727 Out-of-band Channels P0
SC-38-727 Operations Security P0
SC-39-727 Process Isolation P1
SC-40-727 Wireless Link Protection P0
SC-41-727 Port and I/O Device Access P0
SC-42-727 Sensor Capability and Data P0
SC-43-727 Usage Restrictions P0
SC-44-727 Detonation Chambers P0
SE-01-727 Inventory of Personally Identifiable Information NA
SE-02-727 Privacy Incident Response NA
System and Information Integrity
SI-01-727 System and Information Integrity Policy and Procedures P1
SI-02-727 Flaw Remediation P1
SI-03-727 Malicious Code Protection P1
SI-04-727 Information System Monitoring P1
SI-05-727 Security Alerts, Advisories, and Directives P1
SI-06-727 Security Function Verification P1
SI-07-727 Software, Firmware, and Information Integrity P1
SI-08-727 Spam Protection P2
SI-10-727 Information Input Validation P1
SI-11-727 Error Handling P2
SI-12-727 Information Output Handling and Retention P2
SI-13-727 Predictable Failure Prevention P0
SI-14-727 Non-persistence P0
SI-15-727 Information Output Filtering P0
SI-16-727 Memory Protection P1
SI-17-727 Fail-safe Procedures P0
TR-01-727 Privacy Notice NA
TR-02-727 System of Records Notices and Privacy Act Statements NA
TR-03-727 Dissemination of Privacy Program Information NA
Use Limitation
UL-01-727 Internal Use NA
UL-02-727 Information Sharing With Third Parties NA