Controls Catalog Groups

The Texas A&M Information Security Controls Catalog establishes the minimum standards and controls for university information security in accordance with the state's Information Security Standards for Institutions of Higher Education found in Title 1, Chapter 202, Texas Administrative Code (TAC 202).

The purpose of this Controls Catalog is to provide Texas A&M University information owners and users with specific guidance for implementing security controls conforming to security control standards currently required in the Texas Department of Information Resources (DIR) Security Control Standards Catalog, Version 1.3.

Each control group is organized under its two-letter group identification code and title, and adopts the numbering format of the DIR Security Control Standards Catalog.


The information resource owner is responsible for ensuring that the protection measures in the Security Controls Catalog are implemented. Based on risk management considerations and business functions, the resource owner may request to exclude certain protection measures mandated by a control in favor of an alternate mitigation. This process is described in detail in SAP 29.01.03.M0.03 - Exceptions from Required Risk Mitigation Measures.

Use the IT Policy Exception Request form to request an exception to any security control. Once submitted and processed by the office of the CISO, an opinion for approval or denial will be submitted back to the requestor.