PM-15-727 Contacts with Security Groups and Associations

Contacts with Security Groups and Associations

Control ID

PM-15-727

Control Name

Contacts with Security Groups and Associations

Control Category

Program Management

Functional Areas

Protect

Sub-Areas

System Communications Protection

NIST Baseline Level(s)

NOT SELECTED

NIST Priority

State Implementation Required

Agency Last Implemented Date

February 15, 2018

Agency Implementation

The Agency shall maintain an active participating relationship with: (a) the Texas A&M University System's Information Security Officers Working Group; (b) the Texas A&M University System Security Operations Center User Group; (c) the State of Texas Information Security Working Group, and (d) the Center for Internet Security's Multi-State Information Sharing & Analysis Center. Information security employees are encouraged to maintain relationships with additional professional groups and associations, such as InfraGard, (ISC)2, CompTIA, etc. to maintain currency with recommended security practices, techniques, and technologies.

Risk Statement

Inadequate contacts and communication protocols with relevant authorities and special interest groups may result in the lack of knowledge of latest security threats and industry trends, information security incidents going unreported or unsupported by leg

Control Description

The organization establishes and institutionalizes contact with selected groups and associations within the security community: a. To facilitate ongoing security education and training for organizational personnel; b. To maintain currency with recommended security practices, techniques, and technologies; and c. To share current security-related information including threats, vulnerabilities, and incidents.

Control Example

Employee personnel are members of external information security organizations.

State Implementation

State implementation of this standard is incorporated into TAC 202.

Testing Procedures

Obtain documentation addressing the organization's contact with security groups and associations and ascertain if (i) contact with these groups is established and institutionalized (ii) security education and training for personnel is facilitated through this network (iii) security practices, techniques, and technologies is maintained up to date (iv) current security related information is shared