Review and Draft Process

Texas A&M Information Security Controls are developed from the State's Security Controls Standards Catalog (Version 1.3.) These standards present specific guidance for implementing security controls at the university level, as required under Texas Administrative Code §202.76. Changes and additions to security controls in this catalog generally go through a multi-stage process:

  1. Texas A&M Technology Services Risk Management and Policy staff create an initial draft of the security controls.
  2. This draft is then reviewed and modified by an advisory group of IT professionals. This advisory group represents a wide range of university IT environments, and meets jointly with an IRPSC subcommittee for policy review.
  3. After review by the advisory group, the changed control is passed to IT Governance for a vote by the Information Risk, Policy & Security Committee (IRPSC). 
  4. After review and approval by IRPSC, the changed control is passed to the CIO for final review. At this point, the new or revised control is posted in draft form for public comment.
  5. After a minimum of two weeks, and upon approval by the CIO, the DRAFT notice is removed, and the new or revised control is adopted as part of the control catalog.

IT Policy Announce List

For individuals who wish to be notified of changes to the control catalog or other university IT rules and procedures, there is a mailing list and companion Slack channel available. 

The IT Policy Announce list is an opt-in mailing list created to communicate changes to Texas A&M Rules and Standard Administrative Procedures (SAPs) that relate to information technology, and also any changes to the Texas A&M Information Security Control CatalogThe mailing list is intended to be a broadcast mechanism only, so posting will be restricted to university officials working with the policy review process. There is also an associated #it-policy Slack channel which will provide an additional outlet for these announcements, and also a more appropriate forum for discussion.

As noted above, any new controls added to the catalog or modifications made to existing controls are posted online for public comment. Controls posted for public comment always include a draft note with guidance on which sections were modified. When a control is added to that site, it will be announced on the mailing list and the Slack channel. Likewise, when changes are recommended to Rules or SAPs in section 29 (those that relate to information technology), those changes will also be announced in the same manner.

The mailing list is hosted on Google Groups. To subscribe, you must:

  1. Be signed in with your TAMU Google Account
  2. Go to:!forum/it-policy
  3. Click the *Join Group* button.
The email address for the mailing list is:

Stakeholder and Advisory Group

A stakeholder group reviews and offers input into draft security controls prior to being posted for public review.

Advisory Group Members:

Andy Bland
Executive Director, Information Technology
Division of Finance & Administration

Aaron Brender
Director, Information Technology
Vice President for Research

Jim Rosser
Information Technology Manager
International Ocean Discovery Program

Anthony Schneider
Senior Associate Director, Information Technology
Division of Student Affairs

Debra Dandridge
Policy Analyst
Texas A&M Engineering Experiment Station (TEES)

David Sweeney
Director, Information Technology
Texas A&M Transportation Institute (TTI)

Garrett Yamada
Policy Analyst
College of Architecture