The university (Chief Information Security Officer) develops and implements a security plan that provides an overview of the security requirements and a description of the security controls in place or planned for meeting those requirements.


  • This Control is intended to apply to the university as a whole with the Department of Information Resources’ “Agency Security Plan” being the “plan” indicated in this Control. (The template for this Plan is provided by the Texas Department of Information Resources (DIR) in SPECTRIM). The university’s Chief Information Security Officer has the primary responsibility for the implementation of this Control.

  • However, all units in the university should make and execute security plans for the information resources they manage. These “plans” should be based on the results of risk assessments (e.g., risk management decisions and risk mitigation plans such as those provided in SPECTRIM).


  • 1

    The Chief Information Security Officer shall develop a security plan for information systems that:

    • 1.1

      is consistent with the university’s enterprise architecture;

    • 1.2

      explicitly defines the authorization boundary for the system;

    • 1.3

      describes the operational context of the information system in terms of missions and business processes;

    • 1.4

      provides the security categorization of the information system including supporting rationale (see Control RA-2, Security Categorization);

    • 1.5

      describes the operational environment for the information systems and relationships with or connections to other university information systems;

    • 1.6

      provides an overview of the security requirements for the systems;

    • 1.7

      identifies any relevant overlays, if applicable;


      Overlay/Tailoring description: The university may initiate a tailoring process to modify and align security controls more closely with the specific conditions within the university. This tailoring can include a variety of enhanced guidance (or overlays) for security controls that are specific to the university.

    • 1.8

      describes the security controls in place or planned for meeting requirements, including rationale for the tailoring and supplementation decisions; and

    • 1.9

      is reviewed and approved by the appropriate personnel prior to plan implementation.

  • 2

    The Chief Information Security Officer shall:

    • 2.1

      distribute copies of the security plan and communicate changes to the plan as appropriate to authorized individuals;

    • 2.2

      review the security plan for the information systems biennially and submit report to DIR;

    • 2.3

      update the plan to address changes to the information system, environment of operation, or issues identified during plan implementation or security control assessments; and

    • 2.4

      protect the security plan from unauthorized disclosure and modification.