What is this?

Does the very mention of “Security Controls” make you queasy? Would you prefer a root canal over reviewing information security standards? Take heart!  The Information Security Controls Catalog doesn’t need to be daunting — it provides specific directions that can help you protect your information resources and align with state and federal requirements.

This message is the first in a new series designed to highlight the more significant controls ... and why they are important to you! With our campus IT community following the same security standards, we can more effectively work together to keep Texas A&M safe.

Now grab a cup of coffee and get ready for the delightful tale of RA-2.

 

Better Know A Control — RA-2

It’s tough keeping everyone’s data safe on campus, since we face millions of complex threats every day. Losing or leaving data unprotected can cause major headaches for the university and individuals. Plus, it can be illegal in some cases (so there’s that). 

Certain types of data require more protection than others. For example, compare a phone number to a social security number. We do more to protect a social security number because that information can be far more damaging in the wrong hands. That’s where Security Categorization (RA-2) comes in. Following RA-2 helps ensure sensitive data is protected appropriately, and we are meeting our responsibilities as data custodians.

 

How does RA-2 impact me?

If you have university data in your possession or direct control, there are several requirements in RA-2 that depend on your data’s classification. For example: 

  • Websites or mobile applications that process confidential data must be tested for vulnerabilities by the Division of IT or an approved vendor. 
  • Systems that store or process restricted or confidential data must use file encryption or full-disk encryption. The type of encryption and key management is up to you; the Division of IT does offer an encryption key management service if you want it (Symantec Endpoint Encryption).
  • Systems with restricted or confidential data must also use data loss prevention (Symantec DLP) software provided by the Division of IT Security team. This service can be configured in different modes depending on the needs of your workstation or server.

For information on any of these services, reach out to the Division of IT Security team in the #symantec channel in Slack, or email security@tamu.edu

 

Where can I learn more?

See, that wasn’t too bad. If you still have any questions about RA-2 (or the best cup of coffee), email the Division of IT Risk Management & Policy team at ra@tamu.edu.