• The Digital Millennium Copyright Act of 1998 (DMCA) is a legal framework to protect the rights and management of digital works.

Federal laws that require the confidentiality of information include:

• The Family Educational Rights and Privacy Act (FERPA) which protects the educational records of all students.
• The Gramm Leach Bliley Act (GLBA) which requires financial institutions to protect the security and confidentiality of user information.
• The Health Insurance Portability and Accountability Act (HIPAA) which requires the protection and confidential handling of protected health information. The Texas A&M Controls for Health Data Privacy and Security which protects Electronic Protected Health Information (ePHI).

Payment Card Industry (PCI) compliance on the Texas A&M University campus is ultimately the responsibility of the organization that has elected to accept credit cards for payment. The Texas A&M Division of Finance facilitates the capacity for departments/organizations to accept credit cards.

As part of PCI compliance, Texas A&M Technology Services provides the approval process of network architectures and prepares the firewalls for the PCI environments. Vulnerability scans can also be run against PCI systems to check for potential weaknesses.

Any questions concerning PCI compliance can be directed to security@tamu.edu.

PCI Resources:

• PCI Security Standards

Texas A&M, as a State University, is required to comply with Texas Administrative Code, Title 1, Chapter 202 (TAC 202). TAC 202 assigns the ultimate responsibility for the security of information resources to the President of the University.

Responsibility to administer the information security requirements of TAC 202 institution-wide is granted to the university’s Chief Information Security Officer (CISO). The head or director of a unit is responsible for ensuring that compliance with TAC 202 is maintained for any information resources owned and operated by the unit.

Annual Risk Assessment

Sections 71 and 75 of TAC 202 require that a risk assessment be performed and documented by units having ownership or custodial responsibility of information resources. These assessments must be performed at least annually using the Information Security Risk Assessment Procedures (ISRAP) published by the Texas A&M CISO. The Dean or Vice President for the division in which the unit resides must formally approve the results of the information security assessment and any associated risk management plans.

Control Catalog

Section 76 of TAC 202 requires the adoption of information security controls published by the Texas Department of Information Resources. This means that all security controls found in the Texas A&M Information Security Controls Catalog are mandatory unless otherwise specified.

More Information

More information and specific procedures are described in Texas A&M University SAP 29.01.03.M0.01 - Security of Electronic Information Resources.