Under Texas Administrative Code §202.74, Institution Information Security Program, the university shall implement an information security program that includes protections, based on risk, for all information and information resources against unauthorized access, use, disclosure, modification, or destruction, including assuring the availability, confidentiality, and integrity of information.

Texas A&M, as a State University, is required to comply with Texas Administrative Code, Title 1, Chapter 202 (TAC 202). The TAC 202 assigns responsibility for the protection of information resources to the President of the University. For the purposes of this Control, the authority and responsibility regarding the university's compliance with TAC 202 have been delegated by the President to the Chief Information Officer (CIO).

Texas Administrative Code (TAC), Rule §202.70(2) requires the head of each state institution of higher education or his/her designated representative(s) to allocate resources for ongoing information security remediation, implementation, and compliance activities that reduce risk to a level acceptable to the institution head.

The University shall develop and update, a plan of action and milestone process for security information resources that document the University's planned, implemented, and evaluated remedial actions to correct deficiencies noted during the assessment of the security controls in order to reduce or eliminate known vulnerabilities in the system.

To properly assess risk for the University, information resource assets shall be clearly identified and inventoried.

Information Security Measures of Performance include assessments of risk, identification of corrective actions, and mitigation efforts to secure University information resources.

Reviewing the implementation of new technology infrastructure or modifications to existing technology infrastructure ensures that the use of information resources is in line with strategic goals.

The university develops a risk management strategy to secure university operations and assets.

The university integrates authorization processes into its risk management program.

It is important that activities associated with security and privacy testing, training and monitoring are coordinated across the university. Coordination enables plans and activities to be informed by current threat and vulnerability assessments.

The university maintains ongoing contact with security and privacy groups and associations which is important in an environment of rapidly changing technologies and threats. Groups and associations include special interest groups, professional associations, forums, news groups, users’ groups, and peer groups of security and privacy professionals in higher education and similar organizations.

The University is responsible for establishing and promoting a suitable and relevant threat awareness program to enhance awareness of University information security policies and procedures.