Policies and Standards

Information Resources Rule

The Texas A&M Transportation Institute Information Resources Rule (Rule 29.01.99.I1, Information Resources, or “Member Rule”) implements the Texas A&M University System Policy 29.01 and establishes the authority and responsibilities of the chief information officer (CIO) and chief information security officer (CISO), and authorizes procedures and standards governing the use and security of information resources within the agency.

Security Control Standards Catalog

The Texas A&M Transportation Institute Security Control Standards Catalog (“Controls Catalog”) establishes the minimum standards and controls for agency information security in accordance with the state’s Information Security Standards for Institutions of Higher Education found in Title 1, Chapter 202, Texas Administrative Code (TAC 202).

The purpose of the Controls Catalog is to provide Texas A&M Transportation Institute information owners and users with specific guidance for implementing security controls conforming to security control standards currently required in the Texas Department of Information Resources (DIR) Security Control Standards Catalog.

Each control group is organized under its two-letter group identification code and title, and adopts the numbering format of the DIR Security Control Standards Catalog.

Ensuring Compliance to the TAC 202 Security Control Standards Catalog

The ISO standardizes risk assessment methodology with the Texas Department of Information Resources. All research and support units controlling information resources must complete an annual risk assessment within an approved risk assessment tool to measure, document, and verify compliance to the Agency Security Control Standards Catalog.

The ISO ensures compliance through the risk assessment review process. Findings from annual risk assessment reviews may influence the Texas A&M Transportation Institute Information Security Plan where agency-level mitigations are enacted.

Exemptions/Exclusions from IT Policy Requirements

The information resource owner or designee (e.g., custodian, user) is responsible for ensuring that the protection measures in the Security Controls Catalog are implemented. Based on risk management considerations and business functions, the resource owner may request to exempt or exclude certain protection measures provided in a Control.

To request an exemption or exclusion, please complete the Security Control Exception Request form.