The university develops, disseminates, and periodically reviews/updates formal, documented procedures to facilitate the implementation of the Security Assessment and Authorization policy and associated Security Assessment and Authorization controls.

A review of the university's information security program for compliance with Texas Administrative Code 202 standards will be performed at least biennially, based on business risk management decisions, by individual(s) independent of the information security program and designated by the university President or his or her designee.

The university authorizes all dedicated connections from university information resources to other information resources outside of the university through the use of system connection agreements and monitors/controls the connections on an ongoing basis.

The university identifies, accepts, mitigates, and responds to risks identified in the annual risk assessments with actionable plans and decisions.

The university authorizes the information resource for processing before operations or when there is a significant change to the system

The university monitors security controls for information resources on an ongoing basis.

The university conducts penetration testing of information resources based on risk management decisions. Penetration testing can be conducted internally or externally on the hardware, software, or firmware components of a system and can exercise both physical and technical controls.

The university has a procedure for authorizing internal interfaces between information resources.