Review and Draft Process
Texas A&M Information Security Controls are developed from the State's Security Controls Standards Catalog (Version 1.3.) These standards present specific guidance for implementing security controls at the university level, as required under Texas Administrative Code §202.76. Changes and additions to security controls in this catalog generally go through a multi-stage process:
- Texas A&M Technology Services Risk Management and Policy staff create an initial draft of the security controls.
- This draft is then reviewed and modified by an advisory group of IT professionals. This advisory group represents a wide range of university IT environments, and meets jointly with an Information Risk, Policy & Security Committee (IRPSC) subcommittee for policy review.
- After review by the advisory group, the changed control is passed to IT Governance for a vote by the IRPSC.
- After review and approval by IRPSC, the changed control is passed to the CIO for final review. At this point, the new or revised control is posted in draft form for public comment.
- After a minimum of two weeks, and upon approval by the CIO, the DRAFT notice is removed, and the new or revised control is adopted as part of the control catalog.
IT Policy Announce List
For individuals who wish to be notified of changes to the control catalog or other university IT rules and procedures, there is a mailing list and companion Slack channel available.
The IT Policy Announce list is an opt-in mailing list created to communicate changes to Texas A&M Rules and Standard Administrative Procedures (SAPs) that relate to information technology, and also any changes to the Texas A&M Information Security Control Catalog. The mailing list is intended to be a broadcast mechanism only, so posting will be restricted to university officials working with the policy review process. There is also an associated #it-policy Slack channel which will provide an additional outlet for these announcements, and also a more appropriate forum for discussion.
As noted above, any new controls added to the catalog or modifications made to existing controls are posted online for public comment. Controls posted for public comment always include a draft note with guidance on which sections were modified. When a control is added to that site, it will be announced on the mailing list and the Slack channel. Likewise, when changes are recommended to Rules or SAPs in section 29 (those that relate to information technology), those changes will also be announced in the same manner.
The mailing list is hosted on Google Groups. To subscribe, you must:
- Be signed in with your TAMU Google Account
- Go to: https://groups.google.com/a/lists.tamu.edu/forum/#!forum/it-policy
- Click the *Join Group* button.
Stakeholder and Advisory Group
A stakeholder group reviews and offers input into draft security controls prior to being posted for public review.
Advisory Group Members:
Andy Bland
Executive Director, Information Technology
Division of Finance & Administration
Aaron Brender
Director, Information Technology
Vice President for Research
Jim Rosser
Information Technology Manager
International Ocean Discovery Program
Anthony Schneider
Senior Associate Director, Information Technology
Division of Student Affairs
Debra Dandridge
Policy Analyst
Texas A&M Engineering Experiment Station (TEES)
David Sweeney
Director, Information Technology
Texas A&M Transportation Institute (TTI)
Garrett Yamada
Policy Analyst
College of Architecture