Security Controls Catalog of HIGH Baseline Controls

The Texas A&M Transportation Institute Security Control Standards Catalog (“Controls Catalog”) establishes the minimum standards and controls for agency information security in accordance with the state’s Information Security Standards for Institutions of Higher Education found in Title 1, Chapter 202, Texas Administrative Code (TAC 202). For more information, visit the Policy and Standards page.


Procedure ID Procedure Name NIST Priority
Access Control
AC-01-727 Access Control Policy and Procedures P1
AC-02-727 Account Management P1
AC-03-727 Access Enforcement P1
AC-04-727 Information Flow Enforcement P1
AC-05-727 Separation of Duties P1
AC-06-727 Least Privilege P1
AC-07-727 Unsuccessful Logon Attempts P2
AC-08-727 System Use Notification P1
AC-10-727 Concurrent Session Control P3
AC-11-727 Session Lock P3
AC-12-727 Session Termination P2
AC-14-727 Permitted Actions without Identification or Authentication P3
AC-17-727 Remote Access P1
AC-18-727 Wireless Access P1
AC-19-727 Access Control for Mobile Devices P1
AC-20-727 Use of External Information Systems P1
AC-21-727 Information Sharing P2
AC-22-727 Publicly Accessible Content P3
Awareness and Training
AT-01-727 Security Awareness and Training Policy and Procedures P1
AT-02-727 Security Awareness Training P1
AT-03-727 Role-Based Security Training P1
AT-04-727 Security Training Records P3
Audit and Accountability
AU-01-727 Audit and Accountability Policy and Procedures P1
AU-02-727 Audit Events P1
AU-03-727 Content of Audit Records P1
AU-04-727 Audit Storage Capacity P1
AU-05-727 Response to Audit Processing Failures P1
AU-06-727 Audit Review, Analysis, and Reporting P1
AU-07-727 Audit Reduction and Report Generation P2
AU-08-727 Time Stamps P1
AU-09-727 Protection of Audit Information P1
AU-10-727 Non-Repudiation P2
AU-11-727 Audit Record Retention P3
AU-12-727 Audit Generation P1
Security Assessment and Authorization
CA-01-727 Security Assessment and Authorization Policy and Procedures P1
CA-02-727 Security Assessments P2
CA-03-727 System Interconnections P1
CA-05-727 Plan of Action and Milestones P3
CA-06-727 Security Authorization P2
CA-07-727 Continuous Monitoring P2
CA-08-727 Penetration Testing P2
CA-09-727 Internal System Connections P2
Configuration Management
CM-01-727 Configuration Management Policy and Procedures P1
CM-02-727 Baseline Configuration P1
CM-03-727 Configuration Change Control P1
CM-04-727 Security Impact Analysis P2
CM-05-727 Access Restrictions for Change P1
CM-06-727 Configuration Settings P1
CM-07-727 Least Functionality P1
CM-08-727 Information System Component Inventory P1
CM-09-727 Configuration Management Plan P1
CM-10-727 Software Usage Restrictions P2
CM-11-727 User-Installed Software P1
Contingency Planning
CP-01-727 Contingency Planning Policy and Procedures P1
CP-02-727 Contingency Plan P1
CP-03-727 Contingency Training P2
CP-04-727 Contingency Plan Testing P2
CP-06-727 Alternate Storage Site P1
CP-07-727 Alternate Processing Site P1
CP-08-727 Telecommunications Services P1
CP-09-727 Information System Backup P1
CP-10-727 Information System Recovery and Reconstitution P1
Identification and Authentication
IA-01-727 Identification and Authentication Policy and Procedures P1
IA-02-727 Identification and Authentication (Organizational Users) P1
IA-03-727 Device Identification and Authentication P1
IA-04-727 Identifier Management P1
IA-05-727 Authenticator Management P1
IA-06-727 Authenticator Feedback P2
IA-07-727 Cryptographic Module Authentication P1
IA-08-727 Identification and Authentication (Non-Organizational Users) P1
Incident Response
IR-01-727 Incident Response Policy and Procedures P1
IR-02-727 Incident Response Training P2
IR-03-727 Incident Response Testing P2
IR-04-727 Incident Handling P1
IR-05-727 Incident Monitoring P1
IR-06-727 Incident Reporting P1
IR-07-727 Incident Response Assistance P2
IR-08-727 Incident Response Plan P1
Maintenance
MA-01-727 System Maintenance Policy and Procedures P1
MA-02-727 Controlled Maintenance P2
MA-03-727 Maintenance Tools P3
MA-04-727 Nonlocal Maintenance P2
MA-05-727 Maintenance Personnel P2
MA-06-727 Timely Maintenance P2
Media Protection
MP-01-727 Media Protection Policy and Procedures P1
MP-02-727 Media Access P1
MP-03-727 Media Marking P2
MP-04-727 Media Storage P1
MP-05-727 Media Transport P1
MP-06-727 Media Sanitization P1
MP-07-727 Media Use P1
Physical and Environmental Protection
PE-01-727 Physical and Environmental Protection Policies and Procedures P1
PE-02-727 Physical Access Authorizations P1
PE-03-727 Physical Access Control P1
PE-04-727 Access Control for Transmission Medium P1
PE-05-727 Access Control for Output Devices P2
PE-06-727 Monitoring Physical Access P1
PE-08-727 Visitor Access Records P3
PE-09-727 Power Equipment and Cabling P1
PE-10-727 Emergency Shutoff P1
PE-11-727 Emergency Power P1
PE-12-727 Emergency Lighting P1
PE-13-727 Fire Protection P1
PE-14-727 Temperature and Humidity Controls P1
PE-15-727 Water Damage Protection P1
PE-16-727 Delivery and Removal P2
PE-17-727 Alternate Work Site P2
PE-18-727 Location of Information System Components P3
Planning
PL-01-727 Security Planning Policy and Procedures P1
PL-02-727 System Security Plan P1
PL-04-727 Rules of Behavior P2
PL-08-727 Information Security Architecture P1
Personnel Security
PS-01-727 Personnel Security Policy and Procedures P1
PS-02-727 Position Risk Designation P1
PS-03-727 Personnel Screening P1
PS-04-727 Personnel Termination P1
PS-05-727 Personnel Transfer P2
PS-06-727 Access Agreements P3
PS-07-727 Third-Party Personnel Security P1
PS-08-727 Personnel Sanctions P3
Risk Assessment
RA-01-727 Risk Assessment Policy and Procedures P1
RA-02-727 Security Categorization P1
RA-03-727 Risk Assessment P1
RA-05-727 Vulnerability Scanning P1
Security Assessment and Authorization
SA-01-727 System and Services Acquisition Policy and Procedures P1
SA-02-727 Allocation of Resources P1
SA-03-727 System Development Life Cycle P1
SA-04-727 Acquisition Process P1
SA-05-727 Information System Documentation P2
SA-08-727 Security Engineering Principles P1
SA-09-727 External Information System Services P1
SA-10-727 Developer Configuration Management P1
SA-11-727 Developer Security Testing and Evaluation P1
SA-12-727 Developer Security Testing and Evaluation P1
SA-15-727 Development Process, Standards, and Tools P2
SA-16-727 Developer-provided Training P2
SA-17-727 Developer Security Architecture and Design P1
System and Communications Protection
SC-01-727 System and Communications Protection Policy and Procedures P1
SC-02-727 Application Partitioning P1
SC-03-727 Security Function Isolation P1
SC-04-727 Information in Shared Resources P1
SC-05-727 Denial of Service Protection P1
SC-07-727 Boundary Protection P1
SC-08-727 Transmission Confidentiality and Integrity P1
SC-10-727 Network Disconnect P2
SC-12-727 Cryptographic Key Establishment and Management P1
SC-13-727 Cryptographic Protection P1
SC-15-727 Collaborative Computing Devices P1
SC-17-727 Public Key Infrastructure Certificates P1
SC-18-727 Mobile Code P2
SC-19-727 Voice over Internet Protocol P1
SC-20-727 Secure Name/Address Resolution Service (Authoritative Source) P1
SC-21-727 Secure Name/Address Resolution Service (Recursive or Caching Resolver) P1
SC-22-727 Architecture and Provisioning for Name/Address Resolution Service P1
SC-23-727 Session Authenticity P1
SC-24-727 Fail in Known State P1
SC-28-727 Protection of Information at Rest P1
SC-39-727 Process Isolation P1
System and Information Integrity
SI-01-727 System and Information Integrity Policy and Procedures P1
SI-02-727 Flaw Remediation P1
SI-03-727 Malicious Code Protection P1
SI-04-727 Information System Monitoring P1
SI-05-727 Security Alerts, Advisories, and Directives P1
SI-06-727 Security Function Verification P1
SI-07-727 Software, Firmware, and Information Integrity P1
SI-08-727 Spam Protection P2
SI-10-727 Information Input Validation P1
SI-11-727 Error Handling P2
SI-12-727 Information Output Handling and Retention P2
SI-16-727 Memory Protection P1