IT Policy

In 2015, the Texas Department of Information Resources (DIR) revised Texas Administrative Code Chapter 202, Information Security Standards. The new rule includes provisions in TAC §202.76 that mandates the standards to be used by all institutions of higher education to provide levels of information security according to risk levels. In 2016, DIR released a revised version of the Security Controls Standard Catalog.

As part of a formal review of TAC 202, DIR researched a number of security policies and standards before determining the use of security controls would provide state agencies and higher education institutions specific guidance for implementing security controls in a format that easily aligns with the National Institute of Standards and Technology Special Publication 800-53 Version 4 (NIST SP 800-53 Rev. 4).

The information resource owner or designee is responsible for ensuring the protection measures in the Security Control Catalog are implemented. Based on risk management considerations and business functions, the resource owner may request to exclude certain protection measures provided in a control. All exclusions must be in accordance with the procedure below.

Email to obtain the exclusion request form. Once submitted and processed by the office of the CISO, an opinion for approval or denial will be submitted back to the requestor.

DIR has introduced a new tool to support state agencies and institutions of higher education in conducting state-mandated security risk assessments. The tool introduced by DIR includes NIST SP 800-53, Rev. 4 Security Controls as a baseline reference for questions rather than DIR Security Controls Standard.

IT Risk Management

All administrators must ensure that risk assessments are performed on all information resources they manage. More information about the requirements can be found here.

Technology Services' Risk Management and Policy Team provides assistance with the interpretation of questions.

Find out more about the dean and VP approval process.  

IT Continuity of Operations

COOP plan addresses the emergencies from an all-hazards approach. Its purpose is to ensure critical business functions can be performed efficiently during emergency relocation. A DRP is primarily a site-specific plan developed with procedures to move operations of one or more information systems from a damaged or uninhabitable location to a temporary alternate location. Once the DRP has successfully transferred an information system site to an alternate site, each affected system would then use its respective information system contingency plan to restore, recover, and test systems and put them into operation.

For more information on COOP planning, see

An ISCP is maintained by the information resource custodian, who is directly responsible for overseeing the recovery and reconstitution process of the IT service.

A unit/department IT DRP should be created at the highest level in the organization as practical (ie college, department or division).

A BIA is required to determine if a unit/department manages mission critical resources. A BIA assess systematically the potential impacts of a loss of business functionality due to an interruption of computing and/or infrastructure support services resulting from various events.

No, each unit/department should maintain a unit/department IT DRP for the IT service(s) it manages. The Texas A&M University IT DRP is limited to the Essential IT Services that support critical infrastructure functions as defined in Annex J (Institutional Continuity Plan).

An analysis is only required if the IT service is determined to be an Essential IT Service and the actual Recovery Time Objective (RTO) is not in alignment with the required RTO.

An IT service can be both mission critical to the department that manages the IT service and essential to the university. In the event that an IT service is designated by the Chief Information Officer (CIO) and the Associate Vice President of the Office of Safety and Security as an Essential IT Service, the IT service must meet the requirements for both mission critical and Essential IT Services.


To prevent accidental exposure of confidential information, only requests submitted by a Public Information Liaison Coordinator (PILC) of a unit for mailboxes belonging to their respective unit are considered valid. Another individual within their unit, such as IT, may submit a request on their behalf, but there must be sufficient documented evidence that the request originated from the PILC. If in doubt, the PILC will be contacted to verify the authenticity of the request.

Due to the time sensitivity and legal requirements of fulfilling a PIR, reducing communication delays is paramount. Please email or contact the Chief Information Security Office at directly. If you have not received direct acknowledgement of the request from a member of the Chief Information Security Office within four business hours, please email

Depending on context, a preservation hold can either refer to the process of preserving ESI or a technical feature within a software application such as the Microsoft In-Place Hold and Litigation Holds feature of Exchange.

AccessData EDiscovery is an enterprise-grade E-Discovery platform utilized by OGC for some of their operations. The bulk of the platform is not accessible outside of OGC personnel.

Communications sent through the platform not only serve as official notification but also may provide links to certain functions of the platform necessary to fulfill a responsibility. These may include acknowledging the hold, completing an E-Discovery questionnaire, or other tasks requiring non-OGC personnel to interact with the platform.

If a mailbox is placed on hold within the email server, all email within that mailbox will be retained on the server independent of a user’s actions. For this reason, a user may delete and clear deleted items from that mailbox, however, the email will persist on the server until the hold has been lifted from that mailbox.

For instances where email is archived and stored outside of the email platform, the email is not protected by the hold features of Microsoft Exchange or Gmail. Please contact the ESI Preservation Coordinator or designee if there are any questions regarding the preservation of email.

The functions of the platform requiring interaction from university personnel generally utilize unique links sent via email and a simplified web interface. Access to the platform is at the sole discretion of OGC.