Skip to main content

One post tagged with "si-5"

View All Tags

Updated Security Control Standards

· 2 min read
Nick McLarty
Nick McLarty
Deputy Chief Information Security Officer

We released today a series of administrative changes to the security control standards. The majority of these changes moved TAMUS Implementation Statement language into organizationally-defined parameters (ODP) within each control, as well as implementing control standards that reflect existing system policy and assigning an impact baseline for all TAMUS-required controls.

The changes to controls include:

  • AC-2(7): Implementation language moved to AT-3
  • AC-8: Withdrawn TAMUS implementation language
  • AT-2: Added ODP for frequency of training
  • AT-2(2): Implemented insider threat training as part of the system delivered Information Security Awareness (3001) course
  • AT-2(3): Implemented social engineering and mining training as part of the system delivered Information Security Awareness (3001) course
  • AT-3: Implemented language moved from AC-2(7) for privileged user role-based training
  • AT-4: Implemented language to address recordkeeping of training delivered via TrainTraq
  • CA-2: Added ODP for frequency of control assessments
  • CA-2(1): Implemented language from 1 TAC 202
  • CM-6: Eliminated language referring to major information systems, relying solely on high-impact systems
  • CP-4: Moved TAMUS implementation language into ODP
  • IA-2(1): Removed TAMUS implementation statement in lieu of DIR having a higher implementation burden
  • IA-5(9): Moved TAMUS implementation language into ODP
  • IR-4: Added references from 29.01.03 to TAMUS implementation statement
  • IR-4(1): Added ODP for automated incident handling process using TAMUS Cyber provided toolsets
  • IR-4(8): Added ODP with references from 29.01.03
  • IR-4(14): Added references from 29.01.03 to TAMUS implementation statement
  • IR-6: Moved TAMUS implementation language into ODP
  • IR-6(1): Added ODP with references from 29.01.03
  • PL-4: Added ODP for frequency of reviewing rules of behavior
  • PL-10: Implemented language to define the control baseline for A&M System information resources
  • PM-5: Added ODP for frequency of updating inventories of information systems
  • PT-3: Moved to SI-12(1)
  • RA-3: Added ODP with references from 29.01.03
  • RA-5(11): Added ODP to designate TAMUS Cyber Operations as central point of contact for public vulnerability disclosures, inheriting authority from 29.01.03
  • SI-5(1): Added ODP for automated reporting with references from 29.01.03
  • SI-12(1): Implemented control moved from PT-3
  • SR-6: Implemented language designating TAMUS Cyber as provider of supplier assessments and reviews