Security Controls Catalog of HIGH Baseline Controls
The Texas A&M Transportation Institute Security Control Standards Catalog (“Controls Catalog”) establishes the minimum standards and controls for agency information security in accordance with the state’s Information Security Standards for Institutions of Higher Education found in Title 1, Chapter 202, Texas Administrative Code (TAC 202). For more information, visit the Policy and Standards page.
Procedure ID | Procedure Name | NIST Priority |
---|---|---|
Access Control | ||
AC-01-727 | Access Control Policy and Procedures | P1 |
AC-02-727 | Account Management | P1 |
AC-03-727 | Access Enforcement | P1 |
AC-04-727 | Information Flow Enforcement | P1 |
AC-05-727 | Separation of Duties | P1 |
AC-06-727 | Least Privilege | P1 |
AC-07-727 | Unsuccessful Logon Attempts | P2 |
AC-08-727 | System Use Notification | P1 |
AC-10-727 | Concurrent Session Control | P3 |
AC-11-727 | Session Lock | P3 |
AC-12-727 | Session Termination | P2 |
AC-14-727 | Permitted Actions without Identification or Authentication | P3 |
AC-17-727 | Remote Access | P1 |
AC-18-727 | Wireless Access | P1 |
AC-19-727 | Access Control for Mobile Devices | P1 |
AC-20-727 | Use of External Information Systems | P1 |
AC-21-727 | Information Sharing | P2 |
AC-22-727 | Publicly Accessible Content | P3 |
Awareness and Training | ||
AT-01-727 | Security Awareness and Training Policy and Procedures | P1 |
AT-02-727 | Security Awareness Training | P1 |
AT-03-727 | Role-Based Security Training | P1 |
AT-04-727 | Security Training Records | P3 |
Audit and Accountability | ||
AU-01-727 | Audit and Accountability Policy and Procedures | P1 |
AU-02-727 | Audit Events | P1 |
AU-03-727 | Content of Audit Records | P1 |
AU-04-727 | Audit Storage Capacity | P1 |
AU-05-727 | Response to Audit Processing Failures | P1 |
AU-06-727 | Audit Review, Analysis, and Reporting | P1 |
AU-07-727 | Audit Reduction and Report Generation | P2 |
AU-08-727 | Time Stamps | P1 |
AU-09-727 | Protection of Audit Information | P1 |
AU-10-727 | Non-Repudiation | P2 |
AU-11-727 | Audit Record Retention | P3 |
AU-12-727 | Audit Generation | P1 |
Security Assessment and Authorization | ||
CA-01-727 | Security Assessment and Authorization Policy and Procedures | P1 |
CA-02-727 | Security Assessments | P2 |
CA-03-727 | System Interconnections | P1 |
CA-05-727 | Plan of Action and Milestones | P3 |
CA-06-727 | Security Authorization | P2 |
CA-07-727 | Continuous Monitoring | P2 |
CA-08-727 | Penetration Testing | P2 |
CA-09-727 | Internal System Connections | P2 |
Configuration Management | ||
CM-01-727 | Configuration Management Policy and Procedures | P1 |
CM-02-727 | Baseline Configuration | P1 |
CM-03-727 | Configuration Change Control | P1 |
CM-04-727 | Security Impact Analysis | P2 |
CM-05-727 | Access Restrictions for Change | P1 |
CM-06-727 | Configuration Settings | P1 |
CM-07-727 | Least Functionality | P1 |
CM-08-727 | Information System Component Inventory | P1 |
CM-09-727 | Configuration Management Plan | P1 |
CM-10-727 | Software Usage Restrictions | P2 |
CM-11-727 | User-Installed Software | P1 |
Contingency Planning | ||
CP-01-727 | Contingency Planning Policy and Procedures | P1 |
CP-02-727 | Contingency Plan | P1 |
CP-03-727 | Contingency Training | P2 |
CP-04-727 | Contingency Plan Testing | P2 |
CP-06-727 | Alternate Storage Site | P1 |
CP-07-727 | Alternate Processing Site | P1 |
CP-08-727 | Telecommunications Services | P1 |
CP-09-727 | Information System Backup | P1 |
CP-10-727 | Information System Recovery and Reconstitution | P1 |
Identification and Authentication | ||
IA-01-727 | Identification and Authentication Policy and Procedures | P1 |
IA-02-727 | Identification and Authentication (Organizational Users) | P1 |
IA-03-727 | Device Identification and Authentication | P1 |
IA-04-727 | Identifier Management | P1 |
IA-05-727 | Authenticator Management | P1 |
IA-06-727 | Authenticator Feedback | P2 |
IA-07-727 | Cryptographic Module Authentication | P1 |
IA-08-727 | Identification and Authentication (Non-Organizational Users) | P1 |
Incident Response | ||
IR-01-727 | Incident Response Policy and Procedures | P1 |
IR-02-727 | Incident Response Training | P2 |
IR-03-727 | Incident Response Testing | P2 |
IR-04-727 | Incident Handling | P1 |
IR-05-727 | Incident Monitoring | P1 |
IR-06-727 | Incident Reporting | P1 |
IR-07-727 | Incident Response Assistance | P2 |
IR-08-727 | Incident Response Plan | P1 |
Maintenance | ||
MA-01-727 | System Maintenance Policy and Procedures | P1 |
MA-02-727 | Controlled Maintenance | P2 |
MA-03-727 | Maintenance Tools | P3 |
MA-04-727 | Nonlocal Maintenance | P2 |
MA-05-727 | Maintenance Personnel | P2 |
MA-06-727 | Timely Maintenance | P2 |
Media Protection | ||
MP-01-727 | Media Protection Policy and Procedures | P1 |
MP-02-727 | Media Access | P1 |
MP-03-727 | Media Marking | P2 |
MP-04-727 | Media Storage | P1 |
MP-05-727 | Media Transport | P1 |
MP-06-727 | Media Sanitization | P1 |
MP-07-727 | Media Use | P1 |
Physical and Environmental Protection | ||
PE-01-727 | Physical and Environmental Protection Policies and Procedures | P1 |
PE-02-727 | Physical Access Authorizations | P1 |
PE-03-727 | Physical Access Control | P1 |
PE-04-727 | Access Control for Transmission Medium | P1 |
PE-05-727 | Access Control for Output Devices | P2 |
PE-06-727 | Monitoring Physical Access | P1 |
PE-08-727 | Visitor Access Records | P3 |
PE-09-727 | Power Equipment and Cabling | P1 |
PE-10-727 | Emergency Shutoff | P1 |
PE-11-727 | Emergency Power | P1 |
PE-12-727 | Emergency Lighting | P1 |
PE-13-727 | Fire Protection | P1 |
PE-14-727 | Temperature and Humidity Controls | P1 |
PE-15-727 | Water Damage Protection | P1 |
PE-16-727 | Delivery and Removal | P2 |
PE-17-727 | Alternate Work Site | P2 |
PE-18-727 | Location of Information System Components | P3 |
Planning | ||
PL-01-727 | Security Planning Policy and Procedures | P1 |
PL-02-727 | System Security Plan | P1 |
PL-04-727 | Rules of Behavior | P2 |
PL-08-727 | Information Security Architecture | P1 |
Personnel Security | ||
PS-01-727 | Personnel Security Policy and Procedures | P1 |
PS-02-727 | Position Risk Designation | P1 |
PS-03-727 | Personnel Screening | P1 |
PS-04-727 | Personnel Termination | P1 |
PS-05-727 | Personnel Transfer | P2 |
PS-06-727 | Access Agreements | P3 |
PS-07-727 | Third-Party Personnel Security | P1 |
PS-08-727 | Personnel Sanctions | P3 |
Risk Assessment | ||
RA-01-727 | Risk Assessment Policy and Procedures | P1 |
RA-02-727 | Security Categorization | P1 |
RA-03-727 | Risk Assessment | P1 |
RA-05-727 | Vulnerability Scanning | P1 |
Security Assessment and Authorization | ||
SA-01-727 | System and Services Acquisition Policy and Procedures | P1 |
SA-02-727 | Allocation of Resources | P1 |
SA-03-727 | System Development Life Cycle | P1 |
SA-04-727 | Acquisition Process | P1 |
SA-05-727 | Information System Documentation | P2 |
SA-08-727 | Security Engineering Principles | P1 |
SA-09-727 | External Information System Services | P1 |
SA-10-727 | Developer Configuration Management | P1 |
SA-11-727 | Developer Security Testing and Evaluation | P1 |
SA-12-727 | Developer Security Testing and Evaluation | P1 |
SA-15-727 | Development Process, Standards, and Tools | P2 |
SA-16-727 | Developer-provided Training | P2 |
SA-17-727 | Developer Security Architecture and Design | P1 |
System and Communications Protection | ||
SC-01-727 | System and Communications Protection Policy and Procedures | P1 |
SC-02-727 | Application Partitioning | P1 |
SC-03-727 | Security Function Isolation | P1 |
SC-04-727 | Information in Shared Resources | P1 |
SC-05-727 | Denial of Service Protection | P1 |
SC-07-727 | Boundary Protection | P1 |
SC-08-727 | Transmission Confidentiality and Integrity | P1 |
SC-10-727 | Network Disconnect | P2 |
SC-12-727 | Cryptographic Key Establishment and Management | P1 |
SC-13-727 | Cryptographic Protection | P1 |
SC-15-727 | Collaborative Computing Devices | P1 |
SC-17-727 | Public Key Infrastructure Certificates | P1 |
SC-18-727 | Mobile Code | P2 |
SC-19-727 | Voice over Internet Protocol | P1 |
SC-20-727 | Secure Name/Address Resolution Service (Authoritative Source) | P1 |
SC-21-727 | Secure Name/Address Resolution Service (Recursive or Caching Resolver) | P1 |
SC-22-727 | Architecture and Provisioning for Name/Address Resolution Service | P1 |
SC-23-727 | Session Authenticity | P1 |
SC-24-727 | Fail in Known State | P1 |
SC-28-727 | Protection of Information at Rest | P1 |
SC-39-727 | Process Isolation | P1 |
System and Information Integrity | ||
SI-01-727 | System and Information Integrity Policy and Procedures | P1 |
SI-02-727 | Flaw Remediation | P1 |
SI-03-727 | Malicious Code Protection | P1 |
SI-04-727 | Information System Monitoring | P1 |
SI-05-727 | Security Alerts, Advisories, and Directives | P1 |
SI-06-727 | Security Function Verification | P1 |
SI-07-727 | Software, Firmware, and Information Integrity | P1 |
SI-08-727 | Spam Protection | P2 |
SI-10-727 | Information Input Validation | P1 |
SI-11-727 | Error Handling | P2 |
SI-12-727 | Information Output Handling and Retention | P2 |
SI-16-727 | Memory Protection | P1 |
Search Control Catalog
Control Audiences
Control Families
- Access Control
- Authority and Purpose
- Accountability, Audit and Risk Management
- Awareness and Training
- Audit and Accountability
- Security Assessment and Authorization
- Configuration Management
- Contingency Planning
- Data Quality and Integrity
- Data Minimization and Retention
- Identification and Authentication
- Individual Participation and Redress
- Incident Response
- Maintenance
- Media Protection
- Physical and Environmental Protection
- Planning
- Program Management
- Personnel Security
- Risk Assessment
- System and Services Acquisition
- System and Communications Protection
- Security
- System and Information Integrity
- Transparency
- Use Limitation