Information Security Controls Catalog
91AV
Information Security Controls Catalog
Overview
The Information Security Controls Catalog establishes the minimum standards and controls for university information security in accordance with the state's Information Security Standards for Institutions of Higher Education found in Title 1, Chapter 202, Texas Administrative Code (TAC 202).
The purpose of this Control Catalog is to provide 91AV information owners and users with specific guidance for implementing security controls conforming to security control standards currently required in the Texas Department of Information Resources (DIR) Security Control Standards Catalog, Version 1.3. Each control group is organized under its two-letter group identification code and title, and adopts the numbering format of the .
Exclusions
The information resource owner or designee (e.g., custodian, user) is responsible for ensuring that the protection measures in the Security Control Catalog are implemented. Based on risk management considerations and business functions, the resource owner may request to exclude certain protection measures provided in a Control. All exclusions must be in accordance with the procedures highlighted in the Information Security Controls Exclusion Process.
Access Controls
- AC-1 Access Control Policy and Procedures
- AC-2 Account Management
- AC-3 Access Enforcement
- AC-5 Separation of Duties
- AC-7 Unsuccessful Logon Attempts
- AC-8 System Use Notification
- AC-14 Permitted Actions without Identification or Authentication
- AC-17 Remote Access
- AC-18 Wireless Access
- AC-19 Access Control for Mobile Devices
- AC-20 Use of External Information Systems
- AC-22 Publicly Accessible Content
Awareness and Training Controls
- AT-1 Security Awareness and Training Policy and Procedures
- AT-2 Security Awareness Training
- AT-3 Role-Based Security Training
- AT-4 Security Training Records
Audit and Accountability Controls
- AU-1 Audit and Accountability Policy and Procedures
- AU-2 Audit Events
- AU-3 Content of Audit Records
- AU-4 Audit Storage Capacity
- AU-5 Response to Audit Processing Failures
- AU-6 Audit Review, Analysis, and Reporting
- AU-8 Time Stamps
- AU-9 Protection of Audit Information
- AU-11 Audit Record Retention
- AU-12 Audit Generation
Security Assessment and Authorization Controls
- CA-1 Security Assessment and Authorization Policy and Procedures
- CA-2 Security Assessments
- CA-3 System Interconnections
- CA-5 Plan of Action and Milestones
- CA-6 Security Authorization
- CA-7 Continuous Monitoring
- CA-9 Internal System Connections
Configuration Management Controls
- CM-1 Configuration Management Policy and Procedures
- CM-2 Baseline Configuration
- CM-4 Security Impact Analysis
- CM-6 Configuration Settings
- CM-7 Least Functionality
- CM-8 Information System Component Inventory
- CM-10 Software Usage Restrictions
- CM-11 User-Installed Software
Contingency Planning Controls
- CP-1 Contingency Planning Policy and Procedures
- CP-2 Contingency Plan
- CP-3 Contingency Training
- CP-4 Contingency Plan Testing
- CP-6 Alternate Storage Site
- CP-9 Information System Backup
- CP-10 Information System Recovery and Reconstitution
Identification and Authentication Controls
- IA-1 Identification and Authentication Policy and Procedures
- IA-2 Identification and Authentication (Organizational Users)
- IA-4 Identifier Management
- IA-5 Authenticator Management
- IA-6 Authenticator Feedback
- IA-7 Cryptographic Module Authentication
- IA-8 Identification and Authentication (Non-Organizational Users)
Incident Response Controls
- IR-1 Incident Response Policy and Procedures
- IR-2 Incident Response Training
- IR-4 Incident Handling
- IR-5 Incident Monitoring
- IR-6 Incident Reporting
- IR-7 Incident Response Assistance
- IR-8 Incident Response Plan
Maintenance Controls
- MA-1 System Maintenance Policy and Procedures
- MA-2 Controlled Maintenance
- MA-4 Nonlocal Maintenance
- MA-5 Maintenance Personnel
Media Protection Controls
- MP-1 Media Protection Policy and Procedures
- MP-2 Media Access
- MP-6 Media Sanitization
- MP-7 Media Use
Physical and Environmental Protection Controls
- PE-1 Physical and Environmental Protection Policies and Procedures
- PE-2 Physical Access Authorizations
- PE-3 Physical Access Control
- PE-6 Monitoring Physical Access
- PE-8 Visitor Access Records
- PE-12 Emergency Lighting
- PE-13 Fire Protection
- PE-14 Temperature and Humidity Controls
- PE-15 Water Damage Protection
- PE-16 Delivery and Removal
Planning Controls
Program Management Controls
- PM-1 Information Security Program Plan
- PM-2 Senior Information Security Officer
- PM-3 Information Security Resources
- PM-4 Plan of Action and Milestones Process
- PM-5 Information System Inventory
- >PM-6 Information Security Measures of Performance
- PM-7 Enterprise Architecture
Personnel Security Controls
- PS-1 Personnel Security Policy and Procedures
- PS-2 Position Risk Designation
- PS-3 Personnel Screening
- PS-4 Personnel Termination
- PS-5 Personnel Transfer
- PS-6 Access Agreements
- PS-7 Third-Party Personnel Security
- PS-8 Personnel Sanctions
Risk Assessment Controls
- RA-1 Risk Assessment Policy and Procedures
- RA-2 Security Categorization
- RA-3 Risk Assessment
- RA-5 Vulnerability Scanning
System and Services Acquisition Controls
- SA-1 System and Services Acquisition Policy and Procedures
- SA-2 Allocation of Resources
- SA-3 System Development Life Cycle
- SA-4 Acquisition Process
- SA-5 Information System Documentation
- SA-9 External Information System Services
- SA-10 Developer Configuration Management
System and Communication Protection Controls
- SC-1 System and Communications Protection Policy and Procedures
- SC-5 Denial of Service Protection
- SC-7 Boundary Protection
- SC-8 Transmission Confidentiality and Integrity
- SC-12 Cryptographic Key Establishment and Management
- SC-13 Cryptographic Protection
- SC-15 Collaborative Computing Devices
- SC-20 Secure Name/Address Resolution Service (Authoritative Source)
- SC-21 Secure Name/Address Resolution Service (Recursive or Caching Resolver)
- SC-22 Architecture and Provisioning for Name/Address Resolution Service
- SC-39 Process Isolation
System and Information Integrity Controls
- SI-1 System and Information Integrity Policy and Procedures
- SI-2 Flaw Remediation
- SI-3 Malicious Code Protection
- SI-4 Information System Monitoring
- SI-5 Security Alerts, Advisories, and Directives
- SI-12 Information Output Handling and Retention